This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM, DKIM and Microsoft-hosted email servers

Hi all

Has anyone managed to set up DKIM signatures that work in Exchange and other Microsoft mail sites?

I've followed the instructions in KB-000034259 and the DKIM check passes if I send to certain mail providers, e.g. Gmail, mail.com, AOL, BTInternet; however the DKIM check fails if it's sent to anything hosted by Microsoft. The error I get is 'dkim=fail (signature did not verify)'.

I've tried changing the keys, using 1024-bit and 2048-bit keys, hosting the DNS selector record on a different DNS server, and different UTMs, but all to no avail. If I send an email to two recipients - one on a Microsoft-hosted email server and the other on Gmail, for example - DKIM passes on Gmail but fails on Microsoft.

Is it only me who sees this issue?

This thread was automatically locked due to age.

Top Replies

Ifor Davies over 1 year ago in reply to Vivek Jagad +1

Hello Vivek Thanks for replying: I actually followed the instructions in your first link when I initially set up DKIM signing. I've investigated further and I think I've found the cause of the issue…

Parents

0 Vivek Jagad over 1 year ago

Hello Ifor Davies,

Thank you for reaching out to the community, you can configure DKIM on Sophos UTM SMTP proxy using this KBA:
> Sophos UTM: DomainKeys DKIM setup guide - https://support.sophos.com/support/s/article/KB-000034259?language=en_US
> Sophos UTM: DKIM setup using Windows OpenSSL - https://support.sophos.com/support/s/article/KB-000034335?language=en_US

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ifor Davies over 1 year ago in reply to Vivek Jagad

Hello Vivek

Thanks for replying: I actually followed the instructions in your first link when I initially set up DKIM signing. I've investigated further and I think I've found the cause of the issue.

If the system that creates the email does not add a Message-ID header, then Microsoft adds its own. It then proceeds to use this header in its DKIM validation check - even though the header was not in the original email - and so validation fails. (There are other mail systems, e.g. Gmail, that will add their own Message-ID header, but I think they are clever enough not to use it when verifying DKIM.)

One fix would be to remove Message-ID from the list of headers in the DKIM signature, so it is ignored and doesn't form part of the validation calculation, but there doesn't seem to be a way to do this in Webadmin. I suppose I'll need to ask our development team to tweak their code...
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 Ifor Davies over 1 year ago in reply to Vivek Jagad

Hello Vivek

Thanks for replying: I actually followed the instructions in your first link when I initially set up DKIM signing. I've investigated further and I think I've found the cause of the issue.

If the system that creates the email does not add a Message-ID header, then Microsoft adds its own. It then proceeds to use this header in its DKIM validation check - even though the header was not in the original email - and so validation fails. (There are other mail systems, e.g. Gmail, that will add their own Message-ID header, but I think they are clever enough not to use it when verifying DKIM.)

One fix would be to remove Message-ID from the list of headers in the DKIM signature, so it is ignored and doesn't form part of the validation calculation, but there doesn't seem to be a way to do this in Webadmin. I suppose I'll need to ask our development team to tweak their code...
Cancel
Vote Up +1 Vote Down

Cancel

Children

No Data