If the DKIM signed messages are relayed via a mail gateway it is preferable to use the "relaxed" Header Canonicalization Algorithm which is more tolerant to common in-transit modifications like white space replacement and line wrapping.
Solution
The DKIM-Signature header generated by the Exchange server looks similar to the one below (notice the single-line formatting):
DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple; q=dns/txt; h=Date : From : Message-ID : Subject : To; bh=ta2DKFMS95GoEJkWkwRWDsSJSuQ=; b=j9YmumTM/jXCJNZdYZkK8Z4xWiDsFS/EvwXjbISlvdfyQTCSimK6qsqAgRT1kocKnKSGp+IRMcVvwy4I+AWIx9UR8IP4YB6b9pcjqtAoi3WwuXLqnJKhqkBmwGK/BqBnMk2prOoXi0l/4avnydZZO9kJQ34b/UZdhV6yoYy/Ang=;
After the message transits Axigen, by default the header is folded and it will look as below (formatted on multiple lines):
DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple;
q=dns/txt; h=Date : From : Message-ID : Subject : To;
bh=ym6BPHuJ4389BZ7DKHcNK+exuj8=;
b=wp/KVt3DcuJLnaCV6P/TM2yz/FomP8e6LCnOIZU9esqbBEsY9BRjhtb2v8cBYXjuuGOQfip/muMTGawDZl1lQkEHjdoPCX8CssuzYRfgO1dtnLdbAUKC1CVEbrbBlTw/QpxKL+BKOmx1GSrIb1kUyN2Uh2PxUUGapYNL0gSltm8=;
When the message is received by the recipient, for example by a Yahoo account, the DKIM verification fails:
Authentication-Results: mta1453.mail.ne1.yahoo.com from=domain.tld; domainkeys=neutral (no sig); from=domain.tld; dkim=permerror (bad sig)
DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple;
q=dns/txt; h=Date : From : Message-ID : Subject : To;
bh=ym6BPHuJ4389BZ7DKHcNK+exuj8=;
b=wp/KVt3DcuJLnaCV6P/TM2yz/FomP8e6LCnOIZU9esqbBEsY9BRjhtb2v8cBYXjuuGOQfip/muMTGawDZl1lQkEHjdoPCX8CssuzYRfgO1dtnLdbAUKC1CVEbrbBlTw/QpxKL+BKOmx1GSrIb1kUyN2Uh2PxUUGapYNL0gSltm8=;
If the "simple" Header Canonicalization Algorithm is used, the following advanced SMTP acceptance rule instructs the Axigen server not to fold the message headers, in order for the DKIM verification to pass at the destination:
- navigate into the Webadmin interface to Security & Filtering -> Acceptance & Routing -> Advanced Settings
- click the 'Add Acceptance / Routing Rule' button
- write a suggestive name for the rule
- in the Conditions section leave the default 'Match any email message'
- in the Actions section select Settings -> RFC Break -> add the action
- ensure that the checkbox next to 'No folding' is ticked
- ensure that the checkbox next to 'Body CR-LF correction' is not ticked
- save the rule
After configuring this rule, the DKIM-Signature header is no longer folded and the DKIM verification passes at the destination:
Authentication-Results: mta1192.mail.gq1.yahoo.com from=domain.tld; domainkeys=neutral (no sig); from=domain.tld; dkim=pass (ok)
DKIM-Signature: v=1; a=rsa-sha1; s=dkim; d=domain.tld; c=simple/simple; q=dns/txt; h=Date : From : Message-ID : Subject : To; bh=ta2DKFMS95GoEJkWkwRWDsSJSuQ=; b=j9YmumTM/jXCJNZdYZkK8Z4xWiDsFS/EvwXjbISlvdfyQTCSimK6qsqAgRT1kocKnKSGp+IRMcVvwy4I+AWIx9UR8IP4YB6b9pcjqtAoi3WwuXLqnJKhqkBmwGK/BqBnMk2prOoXi0l/4avnydZZO9kJQ34b/UZdhV6yoYy/Ang=;