Join Log in
Score:0
miguelmorin avatar Server

DKIM fails when users forward Hotmail to Gmail

jp flag
miguelmorin

I use AWS SES for sending mail and CloudFlare for DNS. I set up DKIM following this tutorial. It works well.

When a user provides a hotmail.com address and forwards it to Gmail, I receive an email such as:

mx.google.com gave this error:

This mail is unauthenticated, which poses a security risk to
the sender and Gmail users, and has been blocked. The sender
must authenticate with at least one of SPF or DKIM. For this
message, DKIM checks did not pass and SPF check for [...] did not pass
with ip: [...]. The sender should visit 
https://support.google.com/mail/answer/81126#authentication
for instructions on setting up authentication. ...


Original message headers:

Received: from ...PROD.OUTLOOK.COM
...
Resent-From: <[email protected]>
...
Authentication-Results: spf=pass (sender IP is ...)
 smtp.mailfrom=...; dkim=fail (signature did not verify)
 header.d=...;dmarc=pass action=none header.from=...;compauth=pass
 reason=100
...
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=2c2dtovttix6omay...; d=...; t=16791...;
    h=Content-Type:From:To:Subject:Message-ID:Date;
    bh=kVq8FB...=;
    b=XTEQr2EZ30...=

The headers suggest that SPF passed and DKIM failed, contrary to the initial text. I'm not sure why.

Can I make the DKIM on my domain also work when forwarding email from Hotmail to Gmail?

Update

I created a Hotmail address and sent an email from the same sender and the forwarding succeeded. I also sent another email from a different domain name that I also own and almost never use, so I'm sure that my gmail never saw that second sender.

624
1 + 2
anx avatar
fr flag
anx
Grab the full headers of the message before and after forwarding and compare - even when the problem was not caused by you, you might still be able to avoid it by canonicalizing the specific header that was changed on forwarding (this is the short form of my similar [answer here](https://serverfault.com/a/1035978/250204))
2
Reply
anx avatar
fr flag
anx
After you have confirmed that your DKIM setup works indeed (that is, before forwarding), I would consider it appropriate to send a minimal test email and [attach](https://serverfault.com/posts/1126855/edit) the *entire message source in both versions*, as I suspect the only way this can be definitely answered would be to pinpoint the specific difference between the message as Microsoft was able to validate and the message as Google was unable to validate.
2
Reply
Score:0
Progist Solutions avatar Server
nr flag
Progist Solutions

When an email is forwarded from a Hotmail account to a Gmail account, the DKIM signature may fail to verify if the forwarding process changes any part of the message or its headers. This is because DKIM relies on cryptographic hashing to generate a signature that is unique to each message, including the message headers. If the message is modified in any way, such as by adding a new header or changing the order of existing headers, the signature will no longer match the original message and will fail verification.

Furthermore, when a message is forwarded, the forwarding service typically adds its own headers to the message, which can also cause the DKIM signature to fail. This is because the original signature was created by the sender's domain and not the forwarding service, so the added headers will cause the message to appear as though it was sent from a different domain.

To avoid DKIM failures when forwarding emails, it is recommended that users either refrain from forwarding messages with DKIM signatures or configure their email client .i.e. hotmail to forward the message as an attachment rather than inline. Additionally, the sender's domain can take steps to ensure that their DKIM signatures remain valid when messages are forwarded by using techniques such as "re-signing" the message with a new signature that incorporates the additional headers added during forwarding.

+ 1
miguelmorin avatar
jp flag
miguelmorin
Thanks! Can you please elaborate or add a reference about re-signing?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.