Email sent from Onpremise exchange server to Gmail and O365 not having the Dkim signature on the mail header #356
Comments
|
This is a fault with your Office 365 configuration.
Look at the exchange online console, and then navigate to the defender anti-spam settings. There you can setup DKIM signing. With a different DNS Selector address.
Note you can use NSLOOKUP in one line.
nslookup -type=txt _selector._domainkey.senderdomain.com
Note the selector might be a different spelling! Check the signed headers, for the prefix of the selector name.
Example some of mine are _selector-DATE.. or -selector-mimecast-date.
Exchange online has a funky setup, where you use a CNAME instead.. so you don’t have to manually update the public key in the txt record ever again..
Why is this happening:
In an exchange Hybrid configuration::, if you used your Exchange On Prem front-end servers as the transport servers (with centralised mail processing enabled on your tenant).. then all SMTP mail is processed on exchange online..
Without centralised processing, then your emails are signed and sent out of the SMTP delivery queues I. Prem, sent straight to your recepients MX.
I feel I have the exact setup as you (exchange configured in a hybrid mode, with centralised processing enabled? Which is the default behaviour.
Simon Jackson
… On 16 Mar 2022, at 20:05, Alagbalive4eva ***@***.***> wrote:
Versions
Windows Server Version: Windows Server 2016 standard
Exchange Version:
Installed DKIM Exchange Version: Version 15.1 (Build 2176.2)
Description
we have been using Exchange DKIM signer for a while now and recently we were flagged and the root cause mentioned was Malformed public Key, so i proceeded to redo the Dkim configuration.
After reconfiguring the DKIM i noticed that the Existing DNS check box returns No record found for selector._domainkey.Domain
Simple nslookup on the server using the below commands:
set q=txt
selector._domainkey.mydomain.com
Returns the domain key text without any problems.
Also i used the DKIMvalidator which passed.
Public Key DNS Lookup
Building DNS Query for selector._domainkey.domain
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MuikytWi3Kf0OAYHidfgreffenf5PyjCzBGlrQnU0G8X4GUZ96AH6mc5d3darONggndBFwsAJkDJZo9wyvvF3m+6/fstreyhrtbdffvvdfsvtr/Y/HlYX5++o5y4n+Bp4PqUKip6FFY6bOrkllEi1InyBW5orQHYCVI2jYSpfCS7/yiVe+zIQEZqf0EvO0X3L2miOIQI+AqoG/WvH0UDlRf0xpDjd9YTQIDAQAB
Validating Signature
result = pass
Details:
DKIM Signature was also verified
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; d=mtn.bj; s=mail; c=relaxed/relaxed;
When i send email to gmail and O365 from the header i can see : dkim=none (message not signed) header.d=none
But when i send an email to yahoomail it passed successfully : dkim=pass ***@***.*** header.s=mail;
Steps to Reproduce
Expected behaviour;** Email sent to Gmail and O365 should have the Dkim signature present
Actual behavior: Email sent to Gmail and O365 shown the Dkim signature on the mail header as none (message not signed)
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
|
|
Hi sjackson0109 Thanks for your quick response. But i am currently not running an hybrid enviroment. |
Alagbalive4eva
changed the title
|
Hm... Not sure if related, but I might have this problem as well. Single Exchange 2019 on-prem CU10, 15.2.922.7, no O365. DKIM 3.3.4 Every test email I send to googlemail works without issues, passes SPF and DKIM. However, occasionally, with real emails, I get this back: Not sure how to troubleshoot this as the test emails always pass both SPF and DKIM. |
|
What canonicalization is in use: relaxed or simple?
My guess is that simple is configured and you're getting failures due to a
mail server in the delivery path modifying the headers used for signing.
A good explanation of the difference can be found here -
https://stackoverflow.com/a/63706246
If you're using relaxed, then you need to investigate the affected received
message + delivery path to see what's dramatically mangling the headers
used to perform the DKIM signing.
…On Wed, 18 May 2022 at 21:16, John Jore ***@***.***> wrote:
Hm... Not sure if relates, but I might have this problem as well. Single
Exchange 2019 on-prem, no O365. DKIM 3.3.4
Every test email I send to googlemail works without issues, passes SPF and
DKIM. However, occasionally, with real emails, I get this back:
<record>
<row>
<source_ip>x.x.x.x</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
**<dkim>fail</dkim>**
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>domain.name</header_from>
</identifiers>
<auth_results>
<spf>
<domain>domain.name</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
Not sure how to troubleshoot this as the test emails always pass both SPF
and DKIM.
—
Reply to this email directly, view it on GitHub
<#356 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEEHYXNWPJ6SGT6SXGZJH4TVKTGPRANCNFSM5Q44PK2Q>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Regards,
Chris Knight
|
|
My Exchange looks up the MX record, and emails direct to @googlemail mail host. I dont use a smarthost or relay server so there should be no difference in the path. Should be Relaxed: Here is another weird one from Google. Both IP addresses are the same. One successful, and four failing DKIM? Managed to send an email to google, no DKIM references, at all, in the email on the google side. Original Message I'm guessing there is a problem in ruleset that decides if DKIM is to be applied to the message or not as it. I.e. "Got new message, checking if I can sign it..." |
|
I had a (small) brainwave. And for what its worth, I think emailing a contact results in the message not being signed. Also, I upgraded to 3.4.0 (Latest pre-release, for this test) |
|
Bump? Anyone else seeing the same? or just me? |
|
Howdy,
Just checked my Exchange Server 2019 CU11 install running DKIM 3.4.0.
Exchange DkimSigner transport agent has the lowest priority with no other
transport agents installed other than the default Microsoft-installed ones.
I'm using the following signing settings:
- algorithm: RsaSha256
- header and body canonicalization: relaxed/relaxed
- headers to sign: From, Subject, To, Date, MessageId
I have one selector published to my external DNS using a 2048-bit key for
signing.
Sending e-mails to Contacts in my Exchange organisation results in those
messages being signed correctly.
Not seeing any DKIM failures in my DMARC reports.
Double-check your Transport Agent priority settings and signing headers.
Also check your external DNS provider - you can get DKIM failures due to
DNS lookup failures, which can occur if your domain zone file isn't
properly replicated from the primary nameserver to the secondary
nameserver(s), or if the delegated nameserver records for your domain
published by your DNS registrar are incorrect (e.g. there's more entries
here than there are nameservers that have a copy of your current zone file).
…On Fri, 27 May 2022 at 21:01, John Jore ***@***.***> wrote:
Bump? Anyone else seeing the same? or just me?
—
Reply to this email directly, view it on GitHub
<#356 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEEHYXNCVSL2O3QROVGPWL3VMCTRNANCNFSM5Q44PK2Q>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
Regards,
Chris Knight
|
|
@stryqx @johnjore @Alagbalive4eva The default debug messages in the transport agent are not very good if you have a lot of messages and a lot of servers. It makes it hard to identify the messages you are sending and what is happening to them. So I adjusted the code on my end to accurate identify them and I have found that a lot of my messages to Office 365 apparently have a "TnefPart" which this DKIM signer is coded not to sign. The recipient domain is not an accepted domain so I'm a little confused as to why it is doing this. This code may need to be looked into: because I wonder if updates to Exchange are forcing this format when communicating with Office 365 (even when not in Hybrid mode). I'm still testing in my environment. |
|
Howdy,
Might be worth checking the TNEF conversion settings on the Exchange Server.
https://learn.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion?view=exchserver-2019#tnef-conversion-options-for-remote-domains
…On Tue, 6 Dec 2022 at 08:54, Jacob Dixon ***@***.***> wrote:
@stryqx <https://github.com/stryqx> @johnjore
<https://github.com/johnjore> @Alagbalive4eva
<https://github.com/Alagbalive4eva> The default debug messages in the
transport agent are not very good if you have a lot of messages and a lot
of servers. It makes it hard to identify the messages you are sending and
what is happening to them.
So I adjusted the code on my end to accurate identify them and I have
found that a lot of my messages to Office 365 are apparently have a
"TnefPart" which this DKIM signer is coded not to sign. The recipient
domain is not an accepted domain so I'm a little confused as to why it is
doing this.
This code may need to be looked into:
https://github.com/Pro/dkim-exchange/blob/59fe5308715b57580095210faca733b82921a5c7/Src/Exchange.DkimSigner/DkimSigningRoutingAgent.cs#L90
because I wonder if updates to Exchange are forcing this format when
communicating with Office 365 (even when not in Hybrid mode). I'm still
testing in my environment.
—
Reply to this email directly, view it on GitHub
<#356 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEEHYXN3JXNPRVE7VW67HK3WLZQAVANCNFSM5Q44PK2Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Regards,
Chris Knight
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Versions
Description
we have been using Exchange DKIM signer for a while now and recently we were flagged and the root cause mentioned was Malformed public Key, so i proceeded to redo the Dkim configuration.
After reconfiguring the DKIM i noticed that the Existing DNS check box returns No record found for selector._domainkey.Domain
Simple nslookup on the server using the below commands:
set q=txt
selector._domainkey.mydomain.com
Returns the domain key text without any problems.
Also i used the DKIMvalidator which passed.
Public Key DNS Lookup
Building DNS Query for selector._domainkey.domain
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MuikytWi3Kf0OAYHidfgreffenf5PyjCzBGlrQnU0G8X4GUZ96AH6mc5d3darONggndBFwsAJkDJZo9wyvvF3m+6/fstreyhrtbdffvvdfsvtr/Y/HlYX5++o5y4n+Bp4PqUKip6FFY6bOrkllEi1InyBW5orQHYCVI2jYSpfCS7/yiVe+zIQEZqf0EvO0X3L2miOIQI+AqoG/WvH0UDlRf0xpDjd9YTQIDAQAB
Validating Signature
result = pass
Details:
DKIM Signature was also verified
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; d=domain; s=mail; c=relaxed/relaxed;
When i send email to gmail and O365 from the header i can see : dkim=none (message not signed) header.d=none
But when i send an email to yahoomail it passed successfully : dkim=pass header.i=@Domain header.s=mail;
Steps to Reproduce
Expected behaviour;** Email sent to Gmail and O365 should have the Dkim signature present
Actual behavior: Email sent to Gmail and O365 shown the Dkim signature on the mail header as none (message not signed)
The text was updated successfully, but these errors were encountered: