Email Security.cloud mail servers preserve other DKIM signatures in the email header
search cancel

Email Security.cloud mail servers preserve other DKIM signatures in the email header

book

Article ID: 171940

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

As an administrator, I would like to setup multiple email hops to do DKIM signing. What happens with the DKIM signatures in the email headers from other hops after the email goes the Email Security.cloud mail servers.

Resolution

DKIM adds an end-to-end authentication capability to the existing email transfer infrastructure.  That is, there can be multiple emails relaying hops between signing and verifying. Therefore the DKIM signatures from other hops will remain in the email headers but the recipient mail server would verify and take into account the last hop DKIM signing the email. 

Refer to the bolded part of the sample email header below (read it from bottom to top):

Return-Path: <[email protected]>
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com. [<server IP >])
        by mx.google.com with ESMTPS id 18-v6si503848qkj.198.2018.06.22.08.56.51
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 22 Jun 2018 08:56:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates <server IP > as permitted sender) client-ip=<server IP >;

3. Gmail verifying the DKIM signature

Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=SYM03232018 header.b=Zv8sjHoB; (SYMANTEC.CLOUD)
       dkim=neutral (body hash did not verify) [email protected] header.s=selector2 header.b=y1HB3naa; (OFFICE 365)
       spf=pass (google.com: domain of [email protected] designates >server IP > as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com

Return-Path: <[email protected]>

2. Symantec.cloud DKIM signing the message.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=SYM03232018; t=1529683009; [email protected]; bh=8KYAUJJ+0s37Utidr/61hEzREiUX6mQ+g8BrPmPSA9s=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=Zv8sjHoBzOZVWwZMyhi5h5volmYDiBZEFNycu1xTs8v+1d7vJNJ2t7sdyHxndqJTH
  fVQueW1mndk22LNqCHgjqHWdvT7z7hb4soXU2Ts9aYvcM12BL53IYeEFPyNZFEj6Dg
  MqO0tx2CjhUipDYYGg+fh9WMp6j7YOPsGO3N4hbMSrYK0CbHJkKWHWhkIUH9kJ1kYC
  auyE0jH0EkD1PJD5nocZTBLmiPDAsZydR7f+hyhF4SAUiZql/x4YwqOB75ws+ud87Q
  tASTqfJ9zq3nYjKJIZ0FY3gcoo3mq0O3944kQbnEkw141qdAnMEwi2GhYqu00vrWc3
  3X3BUymK+ptxQ==

Received: from [<server IP >] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-12.bemta-8.messagelabs.com id 7D/41-22251-14C1D2B5; Fri, 22 Jun 2018 15:56:49 +0000
X-Env-Sender: [email protected]
X-Msg-Ref: server-4.tower-45.messagelabs.com!1529683007!77589874!1
X-Originating-IP: [<server IP>]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=example.com,-,-
X-VirusChecked: Checked
Received: (qmail 14422 invoked from network); 22 Jun 2018 15:56:48 -0000
Received: from mail-co1nam03lp0015.outbound.protection.outlook.com (HELO NAM03-CO1-obe.outbound.protection.outlook.com) (<server IP>)
  by server-4.tower-45.messagelabs.com with AES256-SHA256 encrypted SMTP; 22 Jun 2018 15:56:48 -0000

1. Office 3365 DKIM signing the message.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qGnoEhWGzsMB145HjS64JoKeeGFq9QiFE8GSROCBe+k=; b=y1HB3naafucjXM0DnGpaBLMHQQRzhEWTwiJUUVRgiZCTiSwQ6S01powNS2IEeUTnLRElWRwSpSxSHSZIwS5OU5wJVVIKSKM11Sm0aI25z5FeNRVJZt1DOE0gC051DcfmD5lVkuhWj7W2G5lcBMr9cni0FuKDRz++h90Vt59C+LU=

Received: from BYAPR14MB2294.namprd14.prod.outlook.com (<server IP>) by BYAPR14MB2328.namprd14.prod.outlook.com (<server IP>) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.21; Fri, 22 Jun 2018 15:56:45 +0000
Received: from BYAPR14MB2294.namprd14.prod.outlook.com ([fe80::550a:d886:1f0e:cb5]) by BYAPR14MB2294.namprd14.prod.outlook.com ([fe80::550a:d886:1f0e:cb5%4]) with mapi id 15.20.0884.021; Fri, 22 Jun 2018 15:56:45 +0000
From: Test User <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Test DKIM Signing
Thread-Topic: Test DKIM Signing
Thread-Index: AdQKQZ0RV2R3uW7oTGiBIfqnt411wA==
Date: Fri, 22 Jun 2018 15:56:45 +0000
Message-ID: <BYAPR14MB2294FBFCC3A01C43C41931DEDF750@BYAPR14MB2294.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_BYAPR14MB2294FBFCC3A01C43C41931DEDF750BYAPR14MB2294namp_"
MIME-Version: 1.0

--_000_BYAPR14MB2294FBFCC3A01C43C41931DEDF750BYAPR14MB2294namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Test DKIM Signing