DKIM fail sending to Office 365 and Outlook.com

[lukekenny]

This is a bit of a weird one. WHM DKIM & SPF is set up correctly, and emails sent through the cPanel accounts to test services like dkimvalidator.com/ show DKIM passed. Emails sent to Gmail show DKIM passed.

However, emails sent to Office365 Exchange accounts and Outlook.com accounts show DKIM fail.

A sanitised example from an Office365 recipient:

Authentication-Results: spf=pass (sender IP is 1.1.1.1)
smtp.mailfrom=senderdomain.com.au; receivedomain.com.au; dkim=fail
(signature did not verify)
header.d=senderdomain.com.au;receivedomain.com.au; dmarc=pass action=none
header.from=senderdomain.com.au;compauth=pass reason=100

Where as the exact same test message sent to a Gmail account:

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass h[email protected] header.s=default header.b=uDV+6ipX;
spf=pass (google.com: domain of [email protected] designates 1.1.1.1 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=senderdomain.com.au

DMARC was enabled manually for this domain, trying to solve the problem. It doesn't make a difference if it's on or off.

dkimvalidator.com shows DKIM passes.

Does anyone have any idea what additional steps / configuration is required to get cPanel emails passing Microsoft's checks?

 

[cPanelMichael]

Hello @lukekenny,

Can you open a support ticket so we can take a closer look at the affected system to determine why DKIM verification fails when sending email to Office365/Outlook.com email servers? You can post the ticket number here and we'll link this thread to it.

Thank you.

 

[lukekenny]

Done.

Your Support Request ID is: 11989379

 

[QAZwsxED]

I recently solved a similar issue.
Solution: manually add a Message-Id (note not a Message-ID) header then connect and send an email.
cPanel WHM adds a Message-ID header and re-arranges the 'h' record in the DKIM signature which invalidates it, causing a DKIM:fail in the recipients mailbox.

 

[drandre]

We are having issues with our shared web host with attempting to update the Exim settings. They will not alter their Exim settings on the shared hosting platform and state if cPanel updates their servers with the corrections, they will apply those updates.

I discovered this 7 year old article (Exim's DKIM signatures do not verify on Microsoft servers (outlook, hotmail) *only*) which states by adding the following string into Exim email server...

dkim_sign_headers = to:from:subject:message-id:date:user-agent:mime-version:content-transfer-encoding

... has anyone attempted this or has cPanel provided a fix for this? I am attempting to get an update.

Is this DKIM authentication problem a configuration issue with my provider's Exim file configuration or is this a Microsoft mail (outlook.com/hotmail.com/O365Exchange) server issue?

 

[cPRex]

@drandre - it sounds like there is likely something else happening with your situation. If all cPanel servers had a configuration that caused messages to the Microsoft/Outlook network to fail, that would be a major issue that would be immediately addressed.

In the original ticket mentioned in this thread (11989379) it turned out to be a custom script sending the mail causing the issues that wasn't related to cPanel or Exim.

It would likely be best to start a new thread with your specific issues and we can look into that for you, but since you only have cPanel access you would not be able to get the necessary logs from the server-side to see exactly how Exim is handling the message.