Some messages fail DKIM authentication even though they originate from a valid source.
Last Updated September 30, 2012
Message to some domains are failing DKIM authentication at the final destination.
This is usually the result of an intermediate email server either re-ordering the email message headers or adding additional message headers after the DKIM-Signature header. If the message headers are re-ordered or modified by an intermediate mail server or the body of the message is in some way changed between the SBG appliance and the final DKIM aware mail server, then the DKIM cryprographic signature of the message will no longer match.
If there is an intermediate mail server, or "hop", between the SBG appliance and the destination mail server, please contact the destination domain's administrator to ensure that the intermediate mail relay does not modify the following default signed headers: