DKIM issue with ed25519 selector

One of our customers is encountering the following DKIM issue. Emails from two suppliers are consistently being quarantined due to DKIM verification. The selectors are as follows:

s=strato-dkim-0003 c=relaxed/relaxed a=ed25519-sha256 b=512
s=strato-dkim-0002 c=relaxed/relaxed a=rsa-sha256 b=2048

On the selector "strato-dkim-0003," the XG firewall reports a "fail," and the email is quarantined (presumably because of the message: "Sophos Firewall quarantines DKIM-signed emails that use RSA SHA-1 or have key length less than 1024 or more than 2048 bits.").

However, shouldn't the XG firewall fall back to the "strato-dkim-0002" selector, which is accepted?

The customer is experiencing this issue with two suppliers who both use the same provider. For now, I have implemented a workaround by excluding the mail servers of the provider from DKIM checks, but I don't consider this a proper solution.

The version is: XG310 (SFOS 19.5.3 MR-3-Build652)

Added TAGs
[edited by: Erick Jan at 9:59 AM (GMT -7) on 28 Sep 2023]
Parents Reply
  • Hi Jules,

    As for the update, the case handler has requested the below information. Kindly provide the necessary details through email directly with your case handler.

    Would you kindly confirm the following details?

    • What is the serial number of the firewall?
    • Regarding the DKIM issue with the ed25519 selector, is it possible for us to reproduce the issue? 
    • We require smtpd_main logs in debug mode and also the sample email.

    Below are the steps we’ll take to capture all the logs and configuration from the firewall: 

    • Enable debug for smtpd and collect smtpd_main.logs
      • service smtpd:debug -ds nosync
    • Take the screenshot of the config
    • Full email sample of failed dkim check

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.