Exim's DKIM signatures do not verify on Microsoft servers (outlook, hotmail) only

Question

Gmail as well as a local ISP passes DKIM for Exim emails, but Microsoft does not, with the fail noted in the header:

Authentication-Results: spf=pass (sender IP is [correct IP]) smtp.mailfrom=[correct domain].co.uk; outlook.com; dkim=fail (signature did not verify) header.d=[correct domain];outlook.com; dmarc=bestguesspass action=none header.from=[correct domain];

What I have tried:

I sent an email to outlook from the same domain through Google Apps (G Suite) email (using a different DKIM selector, i.e. another public key in another DNS TXT record) to compare the message sources - Google's message passed DKIM.

I noticed two things:

Google included far fewer headers in the "h" tag , so I reconfigured Exim to also use precisely these, but to no avail.
Google included the header names in lower-case in the "h" tag, whereas Exim does not, even though I entered them in lower-case in Exim's configuration. I read that header names should be lower-cased when generating the header signature hash, but the text does not state that the same applies to the header names in the "h" tag (http://dkimcore.org/specification.html section 3.2), yet Google seems to do this. I imagine overriding this in Exim would be quite hard?

I also noticed that besides the differences in "h", the DKIM-Signature header structure is exactly the same in both bar some whitespace differences (the exim one also only has spaces and new lines after the semicolon separators, so it appears to be fine, it's just broken up differently). At first I thought maybe Exim wasn't setting some required tags, but in such a case the error should be different anyway.

Exim Version: 4.87 Running on a cPanel 11 centOS 7.2 server Exim DKIM configuration:

dkim_remote_smtp:
  driver = smtp
  interface = <; ${if exists {/etc/mailips}{${lookup{${lc:$sender_address_domain}}lsearch{/etc/maili
ps}{$value}{${lookup{${lc:$sender_address_domain}}lsearch{/etc/mailips}{$value}{${lookup{${perl{get_
sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{${lc:$sender_address_domain}}lsearch{/etc/mailhel
o}{$value}{${lookup{${lc:$sender_address_domain}}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_
sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
  dkim_domain = ${lc:$sender_address_domain}
  dkim_selector = default
  dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
  dkim_canon = relaxed
  dkim_sign_headers = to:from:subject:message-id:date:user-agent:mime-version:content-transfer-encoding

(The last line was added by me - it did not work before either)

As it seems the error specifically relates to the signature verification, I do not believe the following is relevant, but I include it anyway:

The Exim email is being sent by Mr nobody on the server, but the envelope-from and the Return-Path header is the correct email address of the intended sender. There shouldn't be any problems in this area since SPF, even on MS, is passing.

While the email sent from Google has

Message-ID: <[id]@[domain of sender]>

the email sent by Exim has

Message-ID: <[id]@[server host name]>

Any help/ideas?

score 2 · Accepted Answer · answered Nov 20 '16 at 21:28

Wow that was lucky! I found the answer by quite a chance when hopelessly searching Exim's user mailing list before posting there. One of the announcement messages that I opened was also posted to exim-dev and so right at the bottom the archive viewer displayed the previous message in this mailing list, which happened to be about an old, resolved DKIM bug "Headers included in dkim_sign_headers are not in the signature when not in the message".

However, this gave me the idea to exclude the headers that were not in my Exim generated email from dkim_sign_headers... And it worked :)

dkim=pass (signature was verified)

It seems DKIM signatures are supposed to be calculated using non-existent headers that are specified in the "h" tag to make the signature fail if they are subsequently added to the email (makes some security sense), so my guess would be MS is messing up the calculation, but I don't know for sure.

Hi! The solution was to add the next string on your Exim config file ? `dkim_sign_headers = to:from:subject:message-id:date:user-agent:mime-version:content-transfer-encoding` — NetVicious, Nov 22 '17 at 15:25

score 1 · Answer 2 · answered Mar 19 '18 at 21:25

With the answer of @lm713 I went to work in the exim config file. This is what I did:

Look in the header and see what was send with the DKIM record. In my case it was this:

from user by server.domain.com with local (Exim 4.83) (envelope-from ) id xx-0000123-0K; Mon, 19 Mar 2018 21:04:41 +0100
Via SSH: Go to the exim.dkim.conf file. You can find it here: /etc/exim.dkim.conf . If you don't have it and use DirectAdmin follow this tutorial: https://help.directadmin.com/item.php?id=569
Add an extra row in the file starting with "dkim_sign_headers = ".
Look at your header DKIM record and name the elements you see. In my case it was:

from user by server.domain.com with local (Exim 4.83) (envelope-from ) id xx-0000123-0K; Mon, 19 Mar 2018 21:04:41 +0100

So I wrote: dkim_sign_headers = from:user-agent:message-id:date

After this type in ssh: service exim restart.

Now it should work.

Exim's DKIM signatures do not verify on Microsoft servers (outlook, hotmail) *only*

2 Answers2

Exim's DKIM signatures do not verify on Microsoft servers (outlook, hotmail) only