The current behavior is to ignore DKIM signatures unless the domain specified in the d= field of signature is a match for the from header domain. If there is no DKIM signature that meets this criterion, we will consider the message as having no DKIM signature.
There is no industry standard for “DKIM pass or fail” itself. We have aligned DKIM to the DMARC framework, which is the common approach taken by mail providers, and states the signer must match the sender domain to compare the key. There are benefits to this approach, most notably the reduction of FPs. The drawbacks are that emails with multiple signatures signed by the same or different domains can all separately pass or fail. We’ve considered alternative methods, but ultimately we’ve chosen to look at the one signing domain for reasons previously stated. Supporting point:
Many valid messages have different DKIM signatures than the sending domain, so we cannot convict on that data point alone. e.g. time of click URL protection, addition of a tag to the subject line. Or, as in this case, O365 automatically adds an underlying domain (onmicrosoft.com), with a signed DKIM key which was different from the sending domain. We're not likely to adjust this current behavior of DKIM at this time as any adjustment has other downstream implications. A better explanation of the current behavior is preferred.
Applies to the following Sophos product(s) and version(s) Sophos Central Email
If the domain specified in DKIM-Signature header is different than the sender domain then we will consider it as not having DKIM signature and result will be dkim=none
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.