As an administrator, I would like to setup multiple email hops to do DKIM signing. What happens with the DKIM signatures in the email headers from other hops after the email goes the Email Security.cloud mail servers.
DKIM adds an end-to-end authentication capability to the existing email transfer infrastructure. That is, there can be multiple emails relaying hops between signing and verifying. Therefore the DKIM signatures from other hops will remain in the email headers but the recipient mail server would verify and take into account the last hop DKIM signing the email.
Refer to the bolded part of the sample email header below (read it from bottom to top):
Return-Path: <[email protected]> Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com. [<server IP >]) by mx.google.com with ESMTPS id 18-v6si503848qkj.198.2018.06.22.08.56.51 for <[email protected]> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Jun 2018 08:56:51 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates <server IP > as permitted sender) client-ip=<server IP >; 3. Gmail verifying the DKIM signature Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=SYM03232018 header.b=Zv8sjHoB; (SYMANTEC.CLOUD) dkim=neutral (body hash did not verify) [email protected] header.s=selector2 header.b=y1HB3naa; (OFFICE 365) spf=pass (google.com: domain of [email protected] designates >server IP > as permitted sender) [email protected]; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com Return-Path: <[email protected]> 2. Symantec.cloud DKIM signing the message. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=SYM03232018; t=1529683009; [email protected]; bh=8KYAUJJ+0s37Utidr/61hEzREiUX6mQ+g8BrPmPSA9s=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=Zv8sjHoBzOZVWwZMyhi5h5volmYDiBZEFNycu1xTs8v+1d7vJNJ2t7sdyHxndqJTH fVQueW1mndk22LNqCHgjqHWdvT7z7hb4soXU2Ts9aYvcM12BL53IYeEFPyNZFEj6Dg MqO0tx2CjhUipDYYGg+fh9WMp6j7YOPsGO3N4hbMSrYK0CbHJkKWHWhkIUH9kJ1kYC auyE0jH0EkD1PJD5nocZTBLmiPDAsZydR7f+hyhF4SAUiZql/x4YwqOB75ws+ud87Q tASTqfJ9zq3nYjKJIZ0FY3gcoo3mq0O3944kQbnEkw141qdAnMEwi2GhYqu00vrWc3 3X3BUymK+ptxQ== Received: from [<server IP >] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-12.bemta-8.messagelabs.com id 7D/41-22251-14C1D2B5; Fri, 22 Jun 2018 15:56:49 +0000 X-Env-Sender: [email protected] X-Msg-Ref: server-4.tower-45.messagelabs.com!1529683007!77589874!1 X-Originating-IP: [<server IP>] X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass X-StarScan-Received: X-StarScan-Version: 9.9.15; banners=example.com,-,- X-VirusChecked: Checked Received: (qmail 14422 invoked from network); 22 Jun 2018 15:56:48 -0000 Received: from mail-co1nam03lp0015.outbound.protection.outlook.com (HELO NAM03-CO1-obe.outbound.protection.outlook.com) (<server IP>) by server-4.tower-45.messagelabs.com with AES256-SHA256 encrypted SMTP; 22 Jun 2018 15:56:48 -0000 1. Office 3365 DKIM signing the message. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qGnoEhWGzsMB145HjS64JoKeeGFq9QiFE8GSROCBe+k=; b=y1HB3naafucjXM0DnGpaBLMHQQRzhEWTwiJUUVRgiZCTiSwQ6S01powNS2IEeUTnLRElWRwSpSxSHSZIwS5OU5wJVVIKSKM11Sm0aI25z5FeNRVJZt1DOE0gC051DcfmD5lVkuhWj7W2G5lcBMr9cni0FuKDRz++h90Vt59C+LU= Received: from BYAPR14MB2294.namprd14.prod.outlook.com (<server IP>) by BYAPR14MB2328.namprd14.prod.outlook.com (<server IP>) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.21; Fri, 22 Jun 2018 15:56:45 +0000 Received: from BYAPR14MB2294.namprd14.prod.outlook.com ([fe80::550a:d886:1f0e:cb5]) by BYAPR14MB2294.namprd14.prod.outlook.com ([fe80::550a:d886:1f0e:cb5%4]) with mapi id 15.20.0884.021; Fri, 22 Jun 2018 15:56:45 +0000 From: Test User <[email protected]> To: "[email protected]" <[email protected]> Subject: Test DKIM Signing Thread-Topic: Test DKIM Signing Thread-Index: AdQKQZ0RV2R3uW7oTGiBIfqnt411wA== Date: Fri, 22 Jun 2018 15:56:45 +0000 Message-ID: <BYAPR14MB2294FBFCC3A01C43C41931DEDF750@BYAPR14MB2294.namprd14.prod.outlook.com> Accept-Language: en-US Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BYAPR14MB2294FBFCC3A01C43C41931DEDF750BYAPR14MB2294namp_" MIME-Version: 1.0 --_000_BYAPR14MB2294FBFCC3A01C43C41931DEDF750BYAPR14MB2294namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Test DKIM Signing