DKIM broken by "Sign Clean Messages" optiion

[alexskynet]

This should be mentionend in docs If you are using DKIM then you have to set the "Sign Clean Messages" option to off. If not DKIN will be broken and the message is marked by clients as "altered"

[rubeldonarman]

That issues can be solved easily by doing Multiple Headers = add But DKIM Authenticated option will be broken . You can verify with https://mxtoolbox.com/EmailHeaders.aspx . and

Sign Clean Messages = yes that will add footer message for IN/OUT as below:

This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

So Sign Clean Messages = yes | no is different thing .

I faced the new issues describing as below : I have received an email through my mailscanner that was okay . When i replied with that OR forwarded to any one using roundcube/any webmail/outlook from desktop , The DKIM was invalid , i mean not verified . Also found a clue from https://dkimvalidator.com/results

result = fail Details: body has been altered

If any suggestions , Please share .

[alexskynet]

@rubeldonarman your issue seems different. My post was intendend in addiction to the Add Headers option as stated in docs. If you're using opendkim very likely keys are not synced with the main server or you have to restart OpenDkim to have the keys read. I have RC running on a server different than mail server and I keep keys synched with no DKIM problems at all. Alternatively you may setup RC to use the same mailserver where MS is OK with DKIM Hope this may help

[rubeldonarman]

@alexskynet would you please assist for the following issues

Body Hash Did Not Verify [DKIM Signature Body Hash]

[alexskynet]

@rubeldonarman does it work ok if sendig a new email using any client (p.e. Thunderbird)? If no does it work if disabling MS? Does it work if forwrding a message? I suspect the problem is in setup of DKIm itself not in MS : my setup works ok and DKIM gets verified

[rubeldonarman]

without MS , DKIM is working perfectly , with MS Body Hash Did Not Verify you can check with https://mxtoolbox.com/EmailHeaders.aspx

With MS : DMARC Compliant : Ok Icon SPF Alignment: Ok Icon SPF Authenticated: Ok Icon DKIM Alignment : Ok Icon DKIM Authenticated : Problem Icon

Without MS : DMARC Compliant : Ok Icon SPF Alignment: Ok Icon SPF Authenticated: Ok Icon DKIM Alignment : Ok Icon DKIM Authenticated : Ok Icon

[alexskynet]

@rubeldonarman may I suggest you to use this test result instead of headers only test? https://www.mailgenius.com/spf-and-dkim-key-email-checker/ Let me know

[shawniverson]

Signing of a message will always alter the body and cause the downstream system DKIM to fail. This is the point of DKIM, to see if a message has been altered in transit. The downstream systems should rely on the upstream system to do the DKIM verification prior to the addition of the signature and not do their own DKIM verification from this system.

[ediazrod]

I like to add I have Mailscanner v5 with DKMI enabled and a signature on inline.sig.html and don't have any issues with DKMI.. must be a problem on the config.. (I like to clarify that, now I having problems with my email, because the version of exim4 on Debian 10 is more strict on the size.)

[Skywalker-11]

I like to add I have Mailscanner v5 with DKMI enabled and a signature on inline.sig.html and don't have any issues with DKMI.. must be a problem on the config..

Having a valid DKIM signature from the original sender and then adding additional mail content like MailScanners signature are mutually exclusive by design. The MailScanner signature modifies the content of the mail (which is exactly what DKIM should prevent) and as such the original DKIM signature will no longer be valid.

The only way to add the MailScanner signature to a mail and for the endclient to still be able to validate the DKIM signature of the original sender would be to add the original mail as an attachment (which doesn't contain the MailScanner signature) to the mail that where the MS signature was added. But the receiver then has to open the original mail in the attachment manually if he wants to validate that DKIM signature.

Same is also valid if MailScanner is configured to disarm links etc.

[ediazrod]

I am agree, another way is don't put a signature, (I use a Mailscanner without signature) and put the signature using altermime for example.

[ediazrod]

I like to add for the final solution is avoid signatures on mailscanner and put the LOPD or some avisory on the mail using exim.. I can share some details.. and leave mailscanner to avoid modify the mail..