DKIM-Result: fail wrong body hash

[Tsjoenkie]

• Windows Server Version: [2012]
• Exchange Version: [2010]
• Installed DKIM Exchange Version: [3.0.8]

This morning we insalled DKIM-Exhange on our server,It was Quite Easy but It wIf do a test we are reciving the following error DKIM-Result: fail wrong body hash,

We tryed to generated a new key and updated the DNS, But that didnt solve the problem.

[Mikasa77]

Another new user also seeing this. Stamping for a few domains on our exchange 2010 edge box.

Validating Signature result = fail Details: body has been altered

[Mikasa77]

• Windows Server Version: [2012]
• Exchange Version: [2010]
• Installed DKIM Exchange Version: [3.0.8]

Update to the issue.

Internal Exchange 2010 DAG nodes do signature stamping before handing the mails over to the edge relay via EdgeSync. DKIM signing is done at this stage.

All emails are signed but those with the signature fail validation tests with 'Body has been altered'. Removing the signature passed validation.

[Pro]

@Tsjoenkie can you enable debug output and check the logs: https://github.com/Pro/dkim-exchange#logging and the corresponding EventViewer (Hint: you can create a user defined view in EventLog and then select "Per Source" and as the value "Exchange DkimSigner")

@Mikasa77 signing must be done on the edge server, i.e., the last in line. Otherwise the edge server may alter the message body and thus the signature fails. You can also try to enable debug logging, but I think that this may be the problem in your case.

[Mikasa77]

Cheers @Pro, this is how we're actually set it up. DKIM signing is done on the edge relay server, last stage. The signature signing is carried out on the internal dag nodes.

DAG Pair (Signature) - Edge Relay (DKIM) - Internet.

When i enable sigs on the DAG nodes the DKIM fails. Our internal dev's had a look and think it may be due to the embedded images in the emails when signature stamping is enabled, lengh being calculated incorrectly during the hashing. Would it be possible to have the DKIM tool offer the Body Length Limits ("l=") tag?

Many thanks

[davehepler]

Do you guys have an update on this? I have the exact same issue. DKIM-Result: fail (wrong body hash: We use CodeTwo exchange rules to embed signatures with pictures and whatnot. This is installed on the mailbox server. I have DKIM signer on the edge transport server, last in line as mentioned above. If I disable CodeTwo signatures on the mailbox server, DKIM works. As Mikasa77 says above, it seems DKIM signer is having a problem with embeded image techniques done by email signature software. Ill post any logs that may help you guys.

[Pro]

Can you try to reproduce the problem by disabling CodeTwo (and any other third party tools), and then create a new email in Outlook, write some text and embed an image inline?

If yes, let me know how you did it, so I can debug it on my dev system.

[group-it]

Hi .. I am experiencing the same issue.. we have no third party tools applying signatures other than "outlook" adding in a logo ..
Someone earlier suggested TNEF being an issue.. I've just set a remote domain to not allow RichText .. and so I'm hoping this will negate the issue..

Did anyone on this list.. get to the bottom of the issue ? I was testing against port25.com and got Result: fail (wrong body hash: expected CRo9tlAcHCs6YyNktFe0jqPNNIdedW5RGVAZqSZ6GfE=)

[kubik256]

Hi, I had this problem few months ago. I've solved this by turning off auto-signing emails feature in antivirus SW. AV software never had any registered transport agent, but somehow it was still able to change every outgoing email.

May be this can help. BR

[Pro]

Thanks for the update. DKIM Signer has to be the last entity changing the email/calculating the body hash. If there's any other tool changing the email after the signer calculated the body hash, it will result in a wrong body hash.

Therefore always make sure that there is no AntiVirus/Gateway/Firewall/ISP/Provider which changes your email after it is sent.