"add security info" setting alters email -> DKIM breaks

Been dealing with a dkim failure I initially couldn’t explain. Turned out that the failing emails were S/MIME signed and due to “add security info” being active “[Signed]” got added to the subject line which of course is a change of the message content and hence broke DKIMs Body Hash verification. A side effect of this setting which is obvious in hindsight. Maybe worth a note in the docs?

Yes that is certainly an issue. It’s not only an issue with add security info. Any change to the email body will break DKIM and since decrypting an email implies that the body is changed, decrypting an email will break the DKIM signature.

SPF checking has similar issues. Because the CipherMail gateway handles all incoming email, for decryption, and then forwards the email to the next email server, SPF checks fail if the next server checks SPF. This is because the IP address of the CipherMail gateway is not listed on the SPF record of the external sender domain.

It’s therefore important that DKIM and SPF checks are only done before decryption, not after.

We therefore always advise to setup the gateway in a mail filter setup where the message is first received by the anti-spam/virus server. The first time the anti-spam/virus server accepts the message it should check DKIM and SPF. The email should then be forwarded to the CipherMail gateway for decryption.

After decryption, the CipherMail gateway sends the email back to the anti-spam/virus server. The anti-spam/virus server should now check again whether the decrypted email contains any viruses. DKIM and SPF should however not be checked again because these would fail.

To prevent loops, the anti-spam/virus server should not send the mail back again to the CIpherMail gateway if the email came from the CipherMail gateway.

Office 365, for example supports this setup where DKIM and SPF checks are skipped when the email cam from the CipherMail gateway IP address



1 Like