Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Does DKIM work?

SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

Since there's still a long standing issue with SPF verification not working, I was wondering about DKIM verification. Does it actually work reliably?

I'm seeing DKIM failures for certain messages from known senders with the reason "body hash mismatch" but I can't be certain if these are actual failures from the sender side or if ES is evaluating them wrong.

The messages are from known senders and not all messages from them are failing verification. Could be an issue on the sender side, I've seen similar issues with Office 365 as sender when their key rotation isn't working properly.

Another thing is that often outright DKIM failure doesn't seem to affect message evaluation much and spam is getting through even with failures.

Category: Email Security Appliances
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @SonicAdmin80

    DKIM problems are way harder to debug than SPF, but in general I would say it works (until it got broken again). Did checked my log and DKIM failures are rare.

    This week I had a case where some mails from remote mail gateways got marked with a DKIM failure which was working without a problem before and after that events. This might be caused by the remote end through key rotation etc.

    But because of having not much faith in the DNS resolving on the ESA I cannot say for sure.

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    That's my feeling as well. I have some messages failing DKIM verification and others not from the same sender. So could be a key rotation issue but can't really be sure who to blame.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @SonicAdmin80

    on a new deployment (don't ask me why) I experienced Temporary Errors for DKIM today. This could be caused by DNS who knows. But even more strange is the fact that the first Mails with this Error (coming from Microsoft 365) are treated as Threat Likely Spoof with Action to Junk Box. But after a few more Messages it switched over to Rejected instead of Junk Box despite the Configuration shows otherwise.

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @BWC, yes it seems to be quite inconsistent. Even the same messages to different recipients can be evaluated differently. I've also seen problems with DKIM verification with messages coming from M365. At times it seems that M365 itself is the culprit with their key rotation not working properly, but other times it just feels like Email Security isn't very reliable with DKIM validations, not unlike with SPF.

  • Halon5Halon5 Enthusiast ✭✭

    Hey @SonicAdmin80 @BWC ,

    Do you have TOC turned on? You can try turning it off and see if you still have the problem. Basically ES (TOC) was messing with the body and in doing so was breaking DKIM. Indeed the test for DKIM (on ES) was clearly happening after messing with the body.

    We raised an issue for "Body Hatch Mismatch" and a fault was raised.

    What release are you on?


    Kindly, Steph.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @Halon5, I don't dare to use TOC anymore after Microsoft quarantined all messages that included the rewritten URL. So that shouldn't have any effect. I'm still on 10.0.6.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Halon5

    the last experience was more with Temporary Errors (whatever that means), running the latest avilable 10.0.9 release.

    If TOC is causing "Body Hash Mismatch", this would be plain stupid, DKIM checks have to be done before altering the mail. But who am I to judge.

    --Michael@BWC

  • Halon5Halon5 Enthusiast ✭✭

    Hiya @BWC @SonicAdmin80 , well a DTS 221471 was raised for DKIM / TOC some time ago. I was to chicken to actually try TOC again afterwards. It was SUPPOSED to be fixed in 10.0.6

    S.

Sign In or Register to comment.