Back to Community Threads
Intermittent DKIM failures - mostly with Yahoo and Outlook.com hosted domains
Problem reported by David O'Leary - 8/11/2024 at 7:26 PM
Submitted
I've got SPF, DKIM, and DMARC setup for all the domains I host. For DMARC, I'm using URIPorts.com for monitoring. One customer is complaining of frequent issues with emails to users going into SPAM or quarantine. When I look at the URIPorts report for that domain, for emails coming from my SmarterMail server in the last 2 weeks, I see 624 fully successful deliveries and 70 where DKIM failed. The majority of the failed reports are from domains with email provided by Outlook.com, Enterprise Outlook, and Yahoo.com. There are lots of successful reports for all those providers.

So, I don't get why we would be getting a ~9% failure rate for DKIM to these major providers. We are using GoDaddy for DNS hosting. SmarterMail support says they can't help unless I can send them something that fails. I've tried about 8 times but they all succeed. 

The failure reports include things like:
-Signature 1 for domain [clientdomain].com failed. The message was signed but failed the verification test. The headers and/or message body have been modified during the transmission.

-Signature 1 for domain [clientdomain].com failed due to a temporary error. The message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result.

-Signature 1 for domain [clientdomain].com failed due to a permanent error. The message could not be verified due to some error that is unrecoverable, such as a required header field being absent.

I've been dealing with this for this domain for months. Rolling over the domain key helped but didn't solve it. 

I've checked the DKIM with a variety of sites and all report no issues.

Any suggestions for things to check or to try?
Owner of Efficion Consulting
David O'Leary Replied
8/11/2024 at 7:54 PM
My latest thought on this is, could it be that an email client or phone app is causing the issue and that is why we are seeing it only intermittently? I've had no luck replicating the problem through the webmail interface or with Thunderbird. But perhaps some of the users are using an app or security software that is modifying headers? Is that a possibility?
Owner of Efficion Consulting
Tony Scholz Replied
8/13/2024 at 11:01 AM
Employee Post
Hello, 

For an issue like this where it is such a small percent it is possible that a few messages are taking a different route and some how being modified ( gateway, spam filter, etc... ) along the way. It you are able to get a copy of the message from any clients that are showing this issue we could parse the header vs a good message and see. 
Tony Scholz
Lead Network/System Administrator
SmarterTools Inc.
D
Douglas Foster Replied
8/13/2024 at 8:32 PM
For Outlook.com client organizations, I have seen false positives in my DMARC reports   See my notes here
But your symptoms seem to be different.

It always helps if the affected user can send the final EML back as an attachment, and also open a ticket with their hosting service or email support organization.
David O'Leary Replied
8/16/2024 at 1:14 PM
Douglas, 
#4 on your list caught my eye: "Outlook.com DMARC reports are inaccurate, because they send reports based on the message state AFTER going through the client’s spam filter (which breaks SPF).  If the spam filter also adds annotations, the process also breaks DKIM.   If the DMARC policy is “reject”, their report says that the message was rejected.  In my experience, they do not act on the reject result that they report, since the client is configured with a non-Microsoft spam filter.   But getting a “reject” result from an important business partner set off alarms when I saw it."

I had to SPAM filters set to check Outbound SMTP, R-Spam and Spam-Assassin. I just now turned that off. Could those have been the issue... attaching headers after the DKIM encryption was calculated?

David
Owner of Efficion Consulting
D
Douglas Foster Replied
8/16/2024 at 2:23 PM
It all depends what they do.  If they add content to body or subject, they will break DKIN signatures applied earlier.

It is also possible that they re-wrap lines in a way that looks like body modifications.

They can add headers as long as they do not affect header evaluation.   The signature header list is processed from bottom to top of message, for as many times as a header name is repeated.  So if X-INFO is not in the list, you can safely add it anywhere.   If it is in the list once and exists already, you can add another at the top but not at the bottom.   If it is in the list twice but exists only once in the message, you cannot add the header at all because it detects a change from null content to not null for the second occurrence.

Most spaml filters only add custom headers starting with X-, and these are unlikely to be in your header list, so header additions should not be a problem.

Do you allow automatic forwarding outside your organization?   If a message is tagged with an External Sender warning when inbound, it will have broken DKIM signatures when forwarded outbound.

If you can get the EML of the received message, you should be able to find a DKIM test site that tells you whether the failure occurred on body, which is evaluated first, or on the headers.

Of course, other errors are possible, such as a public key that is not published correctly in DNS.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Autodiscover and Registry Edits for Outlook and MAPISmarterMail > Desktop and Mobile Synchronization
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Key Feature and Version Milestones in SmarterMailSmarterMail
Remote Server returned: '602' errorSmarterMail > Troubleshooting
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting