DKIM is it telling the truth?
Problem reported by YS Tech - 6/16/2026 at 7:10 AM
Submitted
I am currently trying to setup a client with a bulk mailing service but their automated emails go into the spam folder, mainly because they fail DKIM.
If they communicate with me via email directly they are ok, just their automated emails seem to fail.

They are insistant that their DKIM is working correctly and are suggesting that there may be an issue with SM?

e.g.
Bad one:
X-SmarterMail-SpamAction: Low | MoveToFolder
X-SmarterMail-TotalSpamWeight: 28
X-SmarterMail-SpamDetail: 1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager
X-SmarterMail-SpamDetail: 0.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE HTML included in message
X-SmarterMail-Spam: DMARC [skipped - DMARC Disabled]: 0, Reverse DNS Lookup [Passed]: 0, Null Sender: 0, ISpamAssassin [raw:1]: 2, SPF [Pass]: 0, DKIM [Fail]: 10, _ARC: none, SORBS - DUL: 0, HostKarma - Yellow: 0, SORBS: 0, SEM-BS: 0, SORBS - Recent: 0, BACKSCATTER: 0, Spamrats: 0, IADB: 0, MSRBL: 0, Spamhaus - ZEN: 0, Barracuda: 0, UCEProtect Level 1: 0, SORBS - NoMail: 0, SENDERSCORE: 0, SpamCop: 0, UBL: 0, UCEProtect Level 3: 0, SORBS - SMTP: 0, BONDEDSENDER: 0, GBUDB: 0, HostKarma - Blacklist: 0, UCEProtect Level 2: 0, Surriel: 0, MCAFEE: 0, SORBS - New: 0, IX: 0, SEM-BL: 0, CBL - Abuse Seat: 0, Declude: 16

They also asked why it was showing as Russian Federation in the chain because their tests don't show this?

X-Declude-Spoolname: 849786117.eml
X-Declude-RefID: 
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [16] at 09:18:18 on 16 Jun 2026
X-Declude-Tests: SPFPASS [-1], FROMNOMATCH [2], FILTER-NOSENDER [5], FILTER-COUNTRY [10], WEIGHT10 [10], WEIGHT14 [14]
X-Country-Chain: RUSSIAN FEDERATION->destination
X-Declude-Code: f



Good one:
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 8
X-SmarterMail-SpamDetail: 0.1 PLING_QUERY Subject has exclamation mark and question mark
X-SmarterMail-SpamDetail: 0.0 TVD_SPACE_RATIO
X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE HTML included in message
X-SmarterMail-Spam: DMARC [skipped - DMARC Disabled]: 0, Reverse DNS Lookup [Passed]: 0, Null Sender: 0, ISpamAssassin [raw:0.1]: 0, SPF [Pass]: 0, DKIM [Pass]: 0, _ARC: none, SORBS - New: 0, CBL - Abuse Seat: 0, SENDERSCORE: 0, IADB: 0, UCEProtect Level 1: 0, MSRBL: 0, SORBS - Recent: 0, BONDEDSENDER: 0, SORBS: 0, SpamCop: 0, GBUDB: 0, IX: 0, Spamhaus - ZEN: 0, Surriel: 0, SORBS - SMTP: 0, UCEProtect Level 3: 0, MCAFEE: 0, SEM-BL: 0, SEM-BS: 0, UBL: 0, SORBS - DUL: 0, Barracuda: 0, UCEProtect Level 2: 0, SORBS - NoMail: 0, Spamrats: 0, HostKarma - Blacklist: 0, BACKSCATTER: 0, HostKarma - Yellow: 0, Declude: 8

Also i'm not sure the declude score is calculating correctly, I make 10+2-1 = 11 ?

X-Declude-Spoolname: 849786580.eml
X-Declude-RefID: 
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [8] at 11:31:36 on 16 Jun 2026
X-Declude-Tests: SPFPASS [-1], FROMNOMATCH [2], FILTER-BACKSCATTER [10]
X-Country-Chain: 
X-Declude-Code: f

Any insight please?

Douglas Foster Replied
Analyzing the Declude data first
Declude's GeoIP data is many years old, so of course it has mistakes.   You cannot give it much weight.  That addes 10 points.

FromNoMatch [2 points] is only useful to log the From address into the Declude log file.   It should have zero weight for both triggered and not triggered, as it has no relevance to spam risk.

I don't know what FROM-NOSENDER [5 points]. as this is not a built-in test.   Based on the name, it appears to indicate null sender, but the SmarterMail results indicate that the sender is not null.   Overall, Declude has contributed 16 points when it should probably contribute zero.

Moving onto the SmarterMail results
SpamAssassin added 2 points.   Why?

Do either Declude or SpamAssassin alter the message, such as adding a spam warning to the subject text?   That will break the DKIM signature before SmarterMail Spam Filtering sees the message to test for DKIM.

You should extract the final EML and test it against any of the DKIM testers that are available on the Internet.   That will confirm that SmarterMail judged correctly.  Then you need to chase down where the alteration is occurring.   If it Declude, this should be evident by inspection for a "SUBJECT" or "BODY": action.

If SpamAsseassin behavior cannot be determined by inspection, you can prove things this way:
Create a Declude test which filters on this sender.
Then use it to trigger a COPYFILE action to save a copy of the EML and HDR before SpamAssassin executes.   Then test that version of the EML for DKIM Pass or Fail.

A related issue is that a failed DKIM signature means very little about message risk.  It implies that the message was probably modified in transit.   Malicious in-transit alterations are possible, but rare.   More often, they are accidental or innocuous.   Malicious alteration is rare for the simple reason that attackers have plenty of ways to succeed without depending on a complicated flow path.

DKIM has usefulness as part of a strategy to require some form of authentication for all messages.  But that requires a customized local policy structure, a good quarantine review tool, and some elbow grease.   Without that, I don't see the value in the test.    And even then, all that matters are DKIM signatures which authenticate another identifier (From, Mail From, or Host name).

YS Tech Replied
Thanks for that detailed reply Douglas, very helpful.
I'll do some checking as I have a feeling the subject is altered by declude, so that would be the cause no doubt?
The GoeIP data, can this be updated in declude from anywhere?
Thanks again.

I get a valid SPF despite this in the header


Authentication-Results: spool.Smartermail.cloudpros.dk; iprev=pass (52.101.72.143); dkim=pass (rsa-SHA256) header.s=selector2-gasinstallationer-onmicrosoft-com header.d=gasinstallationer.onmicrosoft.com header.b=IpPfCwAT; arc=pass; spf=softfail reason="[no matches for 52.101.72.143]; all result of SoftFail observed"; spf=softfail reason="[no matches for 52.101.72.143]; all result of SoftFail observed"
X-SmarterMail-SpamAction: High | MoveToFolder
YS Tech Replied
Thanks Douglas, that's pointed me down a rabbit hole of learning about the declude settings and how they interact with SM. I think i've setup correctly now, so that I don't affect DKIM. Along with setting up a few other things and SM routing rules. Spam is now down consideraby and i'll monitor any false positives from declude.
Douglas Foster Replied
@Brian, the SPF check in "Antispam... SpamChecks... SPF" has separate weights for Pass, Fail, SoftFail, Neutral, PermError, and None.   If the SoftFail weight was not applied after it was detected, I am surprised.   Best to open a ticket with support.
Sébastien Riccio Replied
Btw we're not out of trouble with dkim/dmarc things:

https://powerdmarc.com/introducing-dkim2/
https://powerdmarc.com/dmarcbis-explained/

It's not yet adopted but will probably be.
Sébastien Riccio
System & Network Admin

YS Tech Replied
Thanks Douglas Foster.
The difference implementing your suggestions has been significant with regards to the spam processing:


I do have to check the quarantine area now but 99.9% of these are all spam, just the odd 1 or 2 that i add to the OK rule.
Douglas Foster Replied
You asked about the obsolete GeoIP data in Declude.   No, it cannot be updated.  I think I found the file one time, but nobody knows the format, so it cannot be recreated.

However, if you look at the MaxMind website, they have a free download of country-to-IP data, and sample code in several programming languages, so you can create your own tool.   The Declude implementation walks the entire Received chain, which is complicated.  For simplicity, assume that you will only examine the Source IP address, which is pretty easy.

Notes:  
  • I have not succeeded in calling Python directly from Declude.   The workaround has been to call a VBScript which calls Python using a specific window-type parameter.

  • If the process crashes for any reason, Declude will receive an exit status of 1, so ensure that your Python script only uses other bits.
       
  • Your VBScript cannot output anything to the console.   Wscript.Echo is useful for debugging outside of Declude, but if you use it in production, Declude will get exit status 1.
Example entries In the Declude Global.Cfg file:
    INFO bitmask  0 "cscript path\file.vbs %REMOTEIP% 0 0
    INFO-ERROR   bitmask  1 "INFO" 0 0
    INFO-GOODRESULT   bitmask  2 "INFO" 0 0
    INFO-BADRESULT bitmask  4 "INFO" 0 0

Example code In the VBScript file:    
   Set WshShell = CreateObject("WScript.Shell")
    set ObjArgs = Wscript.Arguments
    ArgCount = ObjArgs.Count
    if ArgCount <> 2 then
    '   wscript.Echo( ObjArgs )
    '   wscript.echo("Arg count=" & ArgCount)
       WScript.Quit(1)
    end if

    sourceIP   = "" + ObjArgs(0)
    filename = "" + ObjArgs(1)

    parsecommand = "python.exe scriptfile.py " & sourceip & " " & filename
    parsestatus = WshShell.Run(parsecommand,7,-1)
    WScript.Quit(parsestatus)


YS Tech Replied
The latest one I could find was 1.21.2019 from Mails Best friend. As you say, nothing else about.

I've written some code / an extra page that currently doesn't hold the emails it's just for reference and proof of concept of approving and blocking of emails based on strcuture score, hops and heuristics.
This is coming along nicely and as well as linking into the smartermail spam weights is getting better.
It might not work at all in the end but it's something that i've started ;o)


Eventually i'd like a quarantine approval area where the user can approve or block before they actually drop into their inbox. Effectively a quarantine area where they can control where things go. But still a way to go.
Douglas Foster Replied
I have a Barracuda Email Security Gateway appliance behind my Declude inbound gateway.   It has a good-enough interface for message review.   Compared to alternatives, pricing seems reasonable.

Barracuda wants to move clients to their more expensive cloud solution, so I worry about the appliance going end of life.   But they just accepted a 3-year contract renewal, so apparently it will not happen right away.

Their appliance provides:
  • a 90-day log of every message processed
  • some spam filtering beyond what I find with Declude
  • encryption via secure web relay for outbound messages with sensitive data.
Declude writes the TESTSFAILED list to a message header, then the Barracuda has content filter rules to act on the Declude results.

I am looking for a better (and affordable) option for quarantine review, but I don't have any nominations yet.

Reply to Thread

Enter the verification text