One of our customers is encountering the following DKIM issue. Emails from two suppliers are consistently being quarantined due to DKIM verification. The selectors are as follows:
s=strato-dkim-0003 c=relaxed/relaxed a=ed25519-sha256 b=512
s=strato-dkim-0002 c=relaxed/relaxed a=rsa-sha256 b=2048
On the selector "strato-dkim-0003," the XG firewall reports a "fail," and the email is quarantined (presumably because of the message: "Sophos Firewall quarantines DKIM-signed emails that use RSA SHA-1 or have key length less than 1024 or more than 2048 bits.").
However, shouldn't the XG firewall fall back to the "strato-dkim-0002" selector, which is accepted?
The customer is experiencing this issue with two suppliers who both use the same provider. For now, I have implemented a workaround by excluding the mail servers of the provider from DKIM checks, but I don't consider this a proper solution.
The version is: XG310 (SFOS 19.5.3 MR-3-Build652)
Quote