This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM, DKIM and Microsoft-hosted email servers

Hi all

Has anyone managed to set up DKIM signatures that work in Exchange and other Microsoft mail sites?

I've followed the instructions in KB-000034259 and the DKIM check passes if I send to certain mail providers, e.g. Gmail,, AOL, BTInternet; however the DKIM check fails if it's sent to anything hosted by Microsoft. The error I get is 'dkim=fail (signature did not verify)'.

I've tried changing the keys, using 1024-bit and 2048-bit keys, hosting the DNS selector record on a different DNS server, and different UTMs, but all to no avail. If I send an email to two recipients - one on a Microsoft-hosted email server and the other on Gmail, for example - DKIM passes on Gmail but fails on Microsoft.

Is it only me who sees this issue?


This thread was automatically locked due to age.
Parents Reply
  • Hello Vivek

    Thanks for replying: I actually followed the instructions in your first link when I initially set up DKIM signing. I've investigated further and I think I've found the cause of the issue.

    If the system that creates the email does not add a Message-ID header, then Microsoft adds its own. It then proceeds to use this header in its DKIM validation check - even though the header was not in the original email - and so validation fails. (There are other mail systems, e.g. Gmail, that will add their own Message-ID header, but I think they are clever enough not to use it when verifying DKIM.)

    One fix would be to remove Message-ID from the list of headers in the DKIM signature, so it is ignored and doesn't form part of the validation calculation, but there doesn't seem to be a way to do this in Webadmin. I suppose I'll need to ask our development team to tweak their code...

No Data