Some Emails are being marked as "DKIM-VERIFY: 'fail' and detail info: 'fail (message has been altered)'" eventhough they passed the DMARC test

Question

Hi!

I've been having the problem for some time that some mails are being quarantined because the DKIM-test seems to be failing. The error message is DKIM-VERIFY: 'fail' and detail info: 'fail (message has been altered)'. As far as I can tell there is no reason for this, because other mails from the same sender do not have this error. Even worse I have seen several cases where the sender and the recipient were the same and in one case the mail would be quarantined and in the other it wouldn't be. I am quickly running out of solutions, so I hope someone here might be able to help me.

Here is what I see in the Mail Logs:

2019-01-07 08:28:43 mail postfix/smtpd[69773]: 62C4F88323_C32FFABF: client=mail1.enc99-int.com[62.159.241.100]
2019-01-07 08:28:43 mail postfix/cleanup[64380]: 62C4F88323_C32FFABF: message-id=<OF759D116A.18079C25-ONC125837B.002911AA-1546846115147@int.lidl.net>
2019-01-07 08:28:43 mail postfix/qmgr[65600]: 62C4F88323_C32FFABF: from=<Sender>, size=5137, nrcpt=1 (queue active)
2019-01-07 08:28:43 mail postfix/smtp[69813]: 62C4F88323_C32FFABF: to=<Recipient>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.32, delays=0.15/0/0/0.17, dsn=2.0.0, status=sent (250 OK, sent 5C32FFAB_83308_8731_1 NOFORWARD)
2019-01-07 08:28:43 mail postfix/qmgr[65600]: 62C4F88323_C32FFABF: removed
2019-01-07 08:28:43 mail postfix/smtpd[69773]: setting up TLS connection from <Server>[IP Address]
2019-01-07 08:28:43 mail postfix/smtpd[69773]: <Server[IP Address]: Trusted: subject_CN=<Server>, issuer=TeleSec ServerPass CA 2, fingerprint=7D:D5:89:A7:EE:D0:48:A2:99:C6:AA:56:46:32:12:E7
2019-01-07 08:28:43 mail postfix/smtpd[69773]: Trusted TLS connection established from <Server>[IP Address]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: Sandstorm header not found.
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: X-Sophos headers have been stripped.
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: HISTORIAN: Query results: 'ip=IP Address,fs=18160126,da=116500420,mc=25030,sc=0,hc=25030,sp=0,fso=89817530,re=96,sd=0,hd=25'
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: DKIM-VERIFY: 'fail' and detail info: 'fail (message has been altered)'
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: DMARC result is pass
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: discarded
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: msg times: r=0.17s u=0.02s s=0
2019-01-07 08:28:43 mail milter[83308]: 5C32FFAB_83308_8731_1: conn times: r=0.17s u=0.02s s=0

Best Regards,

Gerrit Deike

This thread was automatically locked due to age.

Red_Warrior · Answer

Hi Gerrit, 
 making a couple of assumptions.. that been if one mail works and one does not.. that would generally indicate that the sender has a proper record and that the appliance is able to hash the record properly. (otherwise I would assume everything wold fail, or that your dmarc policy may be to tight, etc) 
 what you are describing seems to be a classic example of the senders policy's.. the most common thing I have seen is a sender will have rules on what ever device they are sending from.. and depending on how said rules are hitting on the emails .. they may be altering the message after its need hashed for dkim. for example, they may have a rule that appends a banner, or strips an attachment like a facebook icon or similar. 
 
 In this case your best bet from our perspective is to submit the samples to not-spam and open a case with support so they can fish your samples out and compaire them, or even provide them to you. 
 
 to do this.. send your samples to X email box.. when they are all in your "inbox" .. create a new message and drag / drop all of the samples as .eml attachments .. then send them to not-spam@labs.sophos.com 
 you could open a case with support and let them know you have sent samples in to not-spam .. from there they can have a look at them, escalate if necessary, or cut/paste the preserved headers with rules and results. 
 
 regardless if this is a sender or recipient issue, having those samples also shows all of the rule hits and processing messages.. so if there is an issue with the appliance or rule processing the samples can be analyzed by the labs team via escalation. 
 
 this would be the best way to get the proper answer / explication to your issue.