DKIM deployment with SEA and Office 365

Dear all,
 
I faced a serious problem by a client who are sending email to microsoft domains (live.com, outlook.com, hotmail.com, ...)
SEA mail logs show a SMTP 250 exit code, but the email has never been delivered to the mailbox.
The client's IT engineer reported to me the mail policies of Microsoft state the mail must be authenticated using SPF and DKIM.
(https://postmaster.live.com/pm/policies.aspx - Point 4 - Italian language)
So he asked me to implement DKIM protocol.
 
It is the first time I deployed DKIM with multiple MTA. In this specific case, messages are sent by Office 365 and by an internal Sophos Email Appliance (SEA).
SEA has eight trusted domain, some of them shared with Office 365, and use MX record resolution to deliver outgoing messages.
 
Based on my knowledge of DKIM I would like to describe how I'm going to implement DKIM in this scenario.
 
Outgoing messages from Office 365
Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
1. Publish two CNAME records on the DNS zone of the SMTP Domain
2. Enable DKIM for each domain in Office 365 portal
Ref. social.technet.microsoft.com/.../36796.enabling-dkim-in-office-365-for-custom-domains.aspx
At the end of thin procedure we have two cName

selector1._domainkey.domain.it    IN CNAME selector1-dominio-it._domainkey.dominio-it.onmicrosoft.com
selector2._domainkey.domain.it    IN CNAME selector2-dominio-it._domainkey.dominio.it.onmicrosoft.com
 
Outgoing messages from SEA
Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
1. Generate DKIM key using openSSL (Better than using internet tools)
2. Create a key selector (with a different name ex: sea-selector) in System:Certificate section of SEA
3. Add a DKIM signature outbound thread protection policy
4. Add a TXT record to public DNS like:
sea-selector._domainkey.domain.it
After having activated the thread protection policy, EVERY outgoing messages contain the DKIM-Signature header.
So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)
 
mxa-selector._domainkey.domain2.it  IN CNAME   mxa-selector._domainkey.domain.it
 
Any comments to this post will be highly appreciated.
If you find the post interesting, feel free to use it.
Kind regards,
 
Enrico Giacomin
  • HI Enrico,

    Couple of things.

    EnricoGiac
    I faced a serious problem by a client who are sending email to microsoft domains (live.com, outlook.com, hotmail.com, ...)
    SEA mail logs show a SMTP 250 exit code, but the email has never been delivered to the mailbox.
     

     
    logs would be required for this, however if you go into the search tool and change the indicator to "mail logs"  If your mail logs look like this...
    2018-04-03 08:56:18
    test@testlocal
    test@dovecot.local
    external IP
    downstream IP:25
    subject
    2018-04-03 08:56:17
    test@test.local
    test@dovecot.local
    external IP
    downstream IP:25
    subject
     
    (aka) there is a down stream relay and the logs sat 250 delivered.. then your issue is downstream of the appliance
     
     
    if your logs look like this:
    2018-04-03 08:56:18
    test@testlocal
    test@dovecot.local
    external IP
    -
    -
     
    test@test.local
    test@dovecot.local
    external IP
    -
    -
     
     
     
    then its possible there is a policy or other issue going on where the appliance has not delivered the email downstream  .
     
     
     
     
    EnricoGiac
    It is the first time I deployed DKIM with multiple MTA. In this specific case, messages are sent by Office 365 and by an internal Sophos Email Appliance (SEA).
    SEA has eight trusted domain, some of them shared with Office 365, and use MX record resolution to deliver outgoing messages.
     
    trusted domains only tell the appliance so skip spam scoring on that ip/domain . Only an MTA that accepts mail should be listed.  Its not going to bypass rules or other mta checks like spf, dkim or rdns.
     
     
    EnricoGiac
    Based on my knowledge of DKIM I would like to describe how I'm going to implement DKIM in this scenario.
     
    Outgoing messages from Office 365
    Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
    1. Publish two CNAME records on the DNS zone of the SMTP Domain
    2. Enable DKIM for each domain in Office 365 portal
    Ref. social.technet.microsoft.com/.../36796.enabling-dkim-in-office-365-for-custom-domains.aspx
    At the end of thin procedure we have two cName

    selector1._domainkey.domain.it    IN CNAME selector1-dominio-it._domainkey.dominio-it.onmicrosoft.com
    selector2._domainkey.domain.it    IN CNAME selector2-dominio-it._domainkey.dominio.it.onmicrosoft.com
     
    Outgoing messages from SEA
    Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
    1. Generate DKIM key using openSSL (Better than using internet tools)
    2. Create a key selector (with a different name ex: sea-selector) in System:Certificate section of SEA
    3. Add a DKIM signature outbound thread protection policy
    4. Add a TXT record to public DNS like:
    sea-selector._domainkey.domain.it
    After having activated the thread protection policy, EVERY outgoing messages contain the DKIM-Signature header.
    So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)
     
    mxa-selector._domainkey.domain2.it  IN CNAME   mxa-selector._domainkey.domain.it
     
    Any comments to this post will be highly appreciated.
    If you find the post interesting, feel free to use it.
    Kind regards,

    In short, the very last item in your mail chain is the only item that should stamp dkim.. assuming its the sea.. make sure the records are uploaded to the sea and hosted as you have posted.. then make sure you create an outbound dkim rule and make  sure its the last rule to trigger.

    if that does not resolve the issue, you may wish to send samples of your outbound mail to not-spam@labs.sophos.com and open a case to ensure they are stamped correctly.  

    in other notes, make sure you do not have rules that are going after the singing that modify headers, add banners or touch the email.

     

    ***

    as for the overall issues... In this case the forums is not a good medium for troubleshooting.. I highly recommend you contact support and open a case to go over the issues, this will ensure your not posting log information and or modifying logs etc.

  • In reply to Red_Warrior:

    Hello Red Warrior,

    thank you for you reply.

    I confirm that all the configuration I did as detailed in my post are working fine. DKIM Pass for every outbound emails in transit from Sophos Email Appliance, for all the mail domain configured. (My fail: I wrote trusted domain, but I meant mail domain. The authoritative domain accepted by SEA)

    Secondary, my intention was mainly to share my experience on dkim, thats why I post a discussione and not a questio. I do not want to ask for trobleshhoting. Anyway this is a log o a successfully delivered email to @Hotmail.com. The email has never arrived to the mailbox, neither in inbox, nor in junk mail.

    Thank you for your time and I hope the thread will be useful to others.

    Enrico

    2018-04-10 12:31:32
    Administrator@maildomain.it
    egiacomin@hotmail.com
    10.15.4.12
    104.47.36.33:25
    test
    Message-ID: <41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc>
    Sender: Administrator@maildomain.it
    Recipient(s): egiacomin@hotmail.com
    Direction: Outbound
    Received: Connection from 10.15.4.12
    Queued: For scanning at 2018-04-10 12:31:32
    Scanned: With result: legitimate. Message will be delivered.
    Removed: From scanning queue at 2018-04-10 12:31:32
      
    Policy Rule: DKIM Signature
    Sender: Administrator@maildomain.it
    Recipient(s): egiacomin@hotmail.com
    Queued: For delivery at 2018-04-10 12:31:32
    Delivered: To 104.47.36.33 at 2018-04-10 12:31:33 with response '2.6.0 <41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc> [InternalId=2254857871509, Hostname=SN1NAM02HT131.eop-nam02.prod.protection.outlook.com] 8584 bytes in 0.111, 75.426 KB/sec Queued mail for delivery'
    Removed: From delivery queue at 2018-04-10 12:31:33
      View log details...
    Appliance: mxa.maildomain.it [10.15.5.222]

    2018-04-10 12:31:32 mxa postfix/smtpd[13703]: 3B8BE53123_ACC9284F: client=srvexc01.maildomain.loc[10.15.4.12]
    2018-04-10 12:31:32 mxa postfix/cleanup[13209]: 3B8BE53123_ACC9284F: message-id=<41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc>
    2018-04-10 12:31:32 mxa postfix/qmgr[5348]: 3B8BE53123_ACC9284F: from=<Administrator@maildomain.it>, size=1623, nrcpt=1 (queue active)
    2018-04-10 12:31:32 mxa postfix/smtp[9463]: 3B8BE53123_ACC9284F: to=<egiacomin@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.18, delays=0/0/0/0.18, dsn=2.0.0, status=sent (250 OK, sent 5ACC9284_20110_5507_1 516A255C38_ACC9284B)
    2018-04-10 12:31:32 mxa postfix/qmgr[5348]: 3B8BE53123_ACC9284F: removed
    2018-04-10 12:31:32 mxa postfix/backend/smtpd[13679]: 516A255C38_ACC9284B: client=localhost.localdomain[127.0.0.1]
    2018-04-10 12:31:32 mxa postfix/backend/cleanup[11309]: 516A255C38_ACC9284B: message-id=<41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc>
    2018-04-10 12:31:32 mxa postfix/backend/qmgr[5530]: 516A255C38_ACC9284B: from=<Administrator@maildomain.it>, size=2218, nrcpt=1 (queue active)
    2018-04-10 12:31:33 mxa postfix/backend/smtp[99080]: 516A255C38_ACC9284B: to=<egiacomin@hotmail.com>, relay=hotmail-com.olc.protection.outlook.com[104.47.36.33]:25, delay=1.2, delays=0.1/0/0.47/0.67, dsn=2.6.0, status=sent (250 2.6.0 <41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc> [InternalId=2254857871509, Hostname=SN1NAM02HT131.eop-nam02.prod.protection.outlook.com] 8584 bytes in 0.111, 75.426 KB/sec Queued mail for delivery)
    2018-04-10 12:31:33 mxa postfix/backend/qmgr[5530]: 516A255C38_ACC9284B: removed
    2018-04-10 12:31:32 mxa milter[20110]: 5ACC9284_20110_5507_1: Sandstorm header not found.
    2018-04-10 12:31:32 mxa milter[20110]: 5ACC9284_20110_5507_1: X-Sophos headers have been stripped.
  • In reply to EnricoGiac:

    Hi Enrico, 

    Thank you, it helps me a lot (I have the same infrastructure)

    Regards

    Julien

  • In reply to Julien Chaillot:

    It's a pleasure to know it. Thank you.

    Enrico

  • In reply to EnricoGiac:

    Hi Enrico,

    I have a couple a questions about the second part of your post "Outgoing messages from SEA" :

    - For the other domains (non shared with Office365), you have created a CNAME that points the TXT record "sea-selector._domainkey.domain.it"
    So your CNAME should not be like this : sea-selector._domainkey.domain2.it IN CNAME sea-selector._domainkey.domain.it
    instead of this : mxa-selector._domainkey.domain2.it IN CNAME mxa-selector._domainkey.domain.it
    ?

    - You said "So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)".
    All emails (and domains) coming out of SEA are signed with the Key selector "sea-selector", so I think you need to create CNAME for all domains (shared or not with Office 365).

    Thank you for your help :)

    Julien