How to Preserve the Message Headers Used by the DKIM Signing When Using Axigen as a Mail Gateway

When messages are DKIM signed using the "simple" Header Canonicalization Algorithm, the message headers must not be modified when the message transits intermediate mail servers in order for the DKIM verification to pass.

If the DKIM signed messages are relayed via a mail gateway it is preferable to use the "relaxed" Header Canonicalization Algorithm which is more tolerant to common in-transit modifications like white space replacement and line wrapping.

Solution

For example, Axigen is configured as a mail gateway in front of a Microsoft Exchange 2003 server and the Exchange server performs the DKIM signing using the "simple" canonicalization algorithm.

The DKIM-Signature header generated by the Exchange server looks similar to the one below (notice the single-line formatting):

DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple; q=dns/txt; h=Date : From : Message-ID : Subject : To; bh=ta2DKFMS95GoEJkWkwRWDsSJSuQ=; b=j9YmumTM/jXCJNZdYZkK8Z4xWiDsFS/EvwXjbISlvdfyQTCSimK6qsqAgRT1kocKnKSGp+IRMcVvwy4I+AWIx9UR8IP4YB6b9pcjqtAoi3WwuXLqnJKhqkBmwGK/BqBnMk2prOoXi0l/4avnydZZO9kJQ34b/UZdhV6yoYy/Ang=;


After the message transits Axigen, by default the header is folded and it will look as below (formatted on multiple lines):

DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple;
 q=dns/txt; h=Date : From : Message-ID : Subject : To;
 bh=ym6BPHuJ4389BZ7DKHcNK+exuj8=;
 b=wp/KVt3DcuJLnaCV6P/TM2yz/FomP8e6LCnOIZU9esqbBEsY9BRjhtb2v8cBYXjuuGOQfip/muMTGawDZl1lQkEHjdoPCX8CssuzYRfgO1dtnLdbAUKC1CVEbrbBlTw/QpxKL+BKOmx1GSrIb1kUyN2Uh2PxUUGapYNL0gSltm8=;



When the message is received by the recipient, for example by a Yahoo account, the DKIM verification fails:

Authentication-Results: mta1453.mail.ne1.yahoo.com  from=domain.tld; domainkeys=neutral (no sig);  from=domain.tld; dkim=permerror (bad sig)
DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple;
 q=dns/txt; h=Date : From : Message-ID : Subject : To;
 bh=ym6BPHuJ4389BZ7DKHcNK+exuj8=;
 b=wp/KVt3DcuJLnaCV6P/TM2yz/FomP8e6LCnOIZU9esqbBEsY9BRjhtb2v8cBYXjuuGOQfip/muMTGawDZl1lQkEHjdoPCX8CssuzYRfgO1dtnLdbAUKC1CVEbrbBlTw/QpxKL+BKOmx1GSrIb1kUyN2Uh2PxUUGapYNL0gSltm8=;



If the "simple" Header Canonicalization Algorithm is used, the following advanced SMTP acceptance rule instructs the Axigen server not to fold the message headers, in order for the DKIM verification to pass at the destination:

  • navigate into the Webadmin interface to Security & Filtering -> Acceptance & Routing -> Advanced Settings
  • click the 'Add Acceptance / Routing Rule' button
  • write a suggestive name for the rule
  • in the Conditions section leave the default 'Match any email message'
  • in the Actions section select Settings -> RFC Break -> add the action
  • ensure that the checkbox next to 'No folding' is ticked
  • ensure that the checkbox next to 'Body CR-LF correction' is not ticked
  • save the rule

After configuring this rule, the DKIM-Signature header is no longer folded and the DKIM verification passes at the destination:

Authentication-Results: mta1192.mail.gq1.yahoo.com  from=domain.tld; domainkeys=neutral (no sig);  from=domain.tld; dkim=pass (ok)
DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple; q=dns/txt; h=Date : From : Message-ID : Subject : To; bh=ta2DKFMS95GoEJkWkwRWDsSJSuQ=; b=j9YmumTM/jXCJNZdYZkK8Z4xWiDsFS/EvwXjbISlvdfyQTCSimK6qsqAgRT1kocKnKSGp+IRMcVvwy4I+AWIx9UR8IP4YB6b9pcjqtAoi3WwuXLqnJKhqkBmwGK/BqBnMk2prOoXi0l/4avnydZZO9kJQ34b/UZdhV6yoYy/Ang=;

OS: LinuxWindowsFreeBSDSolaris
Distros: WindowsRPM based distros x64DEB based distros amd64