Hello,
We are having a problem with our outbound email getting marked as spam when going to office365 (and outlook.com). We host our email internally and have implemented SPF, DKIM, and DMARC. When emailing other companies we email we pass SPF, DKIM, and DMARC. Only domains that are hosted by office365/outlook.com have issues with our emails. It took a little while to figure this out because the email address domains are company names, but in looking at the headers of emails sent and mx records for the companies we are having issues with, they all lead back to outlook.com/office365.
It seems that outlook.com is failing our DKIM check, saying the "signature did not verify". However, I've checked with 4 different 3rd party email verification services (like mxtoolbox) and they all pass us with DKIM. I've also verified emails to institutions that are hosted by other providers like google, or self hosted by their internal IT shop all pass DKIM. So, our DKIM setup seems to be correct. I can't seem to get the time of day from outlook.com to address the problem.
In my searching around the internet is seems that maybe outlook.com doesn't properly handle missing attributes in the DKIM signature "h=" field. So, for example, if the DKIM-Signature h= field includes the "Reply-To" field but the email doesn't have the "Reply-To" field populated then outlook.com is prone to fail the DKIM check. No one else is. It is good to include the missing fields in the check because if it isn't then the fields can be added in transit by a man-in-the-middle attack but still pass DKIM because they aren't factored in. Anyways, others have addressed this DKIM failure by removing some of the fields included in the DKIM check. Leaving only ones they know exist in the email.
My questions are:
1. Anyone run into this? Anyone have suggestions for me to try to address it? Any ideas or help is greatly appreciated! Google searches show others having this problem with DKIM and outlook.com but their solutions lead me to the next question.
2. Is there a way to change the included DKIM signature fields on the XG Firewall? We are running XG version 19. It appears that the service handling this on the firewall is the exim service. Can it's configuration be changed to address this issue? I looked in advanced shell and the exim config file isn't where it normally is on a Linux box. I'm not sure changing the config file directly is recommended either. It is always possible it may be undone after an update or UI interaction or something.
3. Am I barking up the wrong tree? Because I can't get outlook.com to do anything it seems I'm left with tweeking my XG config in an attempt to address the problem. Or moving my MTA relay services off the XG to another system and/or hosted in an attempt to address the problem. I would rather address it on the XG if possible.
Please help. I'm getting desperate to address this problem.
Ryan.
This thread was automatically locked due to age.
