Messages with DKIM error are silently discarded without any message
a search of DKIM errors inside /var/log/exim_rejectlog reveals quite messages with DKIM error "bodyhash_mismatch" which were silently discarded without returning any error.
Example:
# grep bodyhash_mismatch /var/log/exim_rejectlog
2025-01-25 14:20:50 1talxg-000AGn-14 H=mail-dbaeur02on2051.outbound.protection.outlook.com (EUR03-DBA-obe.outbound.protection.outlook.com) [40.107.101.11]:43392 X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected DKIM : DKIM: encountered the following problem validating domain.com: bodyhash_mismatch
these errors are invisible. Are not producing a returned error message to the sender neither are appearing in the WHM report email.
This is really annoying because the users are missing these messages while the senders are not receiving any error. This ends in frequent complaints about the fault should be in our side instead in the other side. Because due to some esoteric reason, many users believes the big companies cannot produce errors and therefore the fault should be in our side.
Inside /var/log/exim_rejectlog I accumulate messages from some big companies (insurance companies and similar) who are sending messages with a wrong DKIM configuration, causing the "bodyhash_mismatch" error. It seems because they are using different services to send their messages, although without a proper configuration linked with their own domain. As these companies are very big it doesn't affect to all their senders. Just in a random way can appear some messages with this DKIM error, although then are silently discarded by the CPanel server
I have seen in Internet the standard procedure is to send a returned message for the sender with SMTP codes 554 or 550, including a text about there is a DKIM error in their side.
This is really necessary for the customers to clarify what happened. Because in that way the sender can receive the error and then all becomes clear.
At least in my case these e-mails are not produced. These failed "bodyhash_mismatch" messages are invisible, except if I go to check inside exim_rejectlog. Are not appearing in the WHM mail report neither there are STMP messages with the error going to the sender.
Please, Can you confirm if there is some way to enable these returned messages after this DKIM error?.
thanks
-
Hey there! Inside WHM >> Exim Configuration Manager there are two options you can enable to adjust this behavior:
Allow DKIM verification for incoming messagesandReject DKIM failuresAre both of those enabled on your machine? If not, there wouldn't be any failure messages sent.0 -
yes, I have both enabled. Although there is no automatic message generated for the sender with the DKIM error.
Have you checked if automatic e-mail messages are sent by Exim after DKIM errors?. I have never seen these traces in the logs.
0 -
I reached out to our email team about this one and confirmed that there is no bounce of any kind sent to the sender for failed DKIM messages. Would you like me to submit an official feature request to add that behavior?
0 -
it would be good, thanks!
Really I think this is not an added feature but a failure in the mail system. These DKIM errors appears after a right SPF validation. At that point the probability of a non-authentic sender is lower than in the previous step. However, there is no message to inform the sender about the rejection because a wrong DKIM configuration.
On my side I have created one script to parse the exim_reject.log to find these missed messages. It sends one message to the sender with his DKIM error, and a daily summary to the receiver with their missed messages. It works with a cron each 12 hours. It is not perfect but enough to clarify to our customers that the fault was in the sender, despite it can be a big company.Big companies also seems to be victim of the fashion to avoid the task of sending their own e-mails. Instead, they upload the data of their customers to Mailgun and other mailing services. Although later one can check how they are not configuring properly the DKIM fields.
According that growing fashion, probably we can expect more of these DKIM failures in the next times, and a bounce after a DKIM error can be necessary.
thanks
0 -
Thanks for the additional details. I submitted that feature request (we can call it whatever we want, but to get something added to the product it's a "feature" request) with a link to this thread so they can read the full discussion here - thanks!
0
Please sign in to leave a comment.
Comments
5 comments