4

Exchange is modifying emails before forwarding them out to an external Google Apps account. I'm hoping to find a way to fix this.

Here's some more detail:

Using Exchange 2010 SP3 Version 14.3.123.4

The exchange server is forwarding email of some users out to Google Apps accounts (using an External Contact in AD). Exchange is set to put the emails in the user's mailbox and also forward a copy to their Google Apps account. The issue is that outside emails (from @google.com for example) are failing the DKIM check on the Google Apps side after being forwarded from Exchange and they are marked as spam. I got this info from looking at the email source and seeing this message:

Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@example.com;
       spf=pass (google.com: domain of user@mydomain.com designates 1.1.1.1 as permitted sender) smtp.mailfrom=user@mydomain.com;
       dmarc=fail (p=REJECT dis=NONE) header.from=example.com
  • user@mydomain.com - a user with an exchange mailbox and Google apps
    account
  • 1.1.1.1 - outside IP of Exchange server, included in SPF record
  • example.com - outside public domain that has dmarc configured

Testing and results of direct vs forwarded emails:

Below is a sample of two emails. One email was sent to the Exchange server user's email address, the other email was sent directly to the Google Apps email address using the temporary Google Apps assigned domain alias (user@mydomain.com.test-google-a.com).

The subject and body were exactly the same in both emails sent out. The only difference between the two received is that the Exchange forwarded email had modified the body boundaries and the charset value now has quotes around the UTF-8.

Direct to Gmail (user@mydomain.com.test-google-a.com):

Content-Type: multipart/alternative; boundary=001a1149a47ee5ea57053414b981

--001a1149a47ee5ea57053414b981
Content-Type: text/plain; charset=UTF-8

Test body

--001a1149a47ee5ea57053414b981
Content-Type: text/html; charset=UTF-8

<div dir="ltr">Test body
</div>

--001a1149a47ee5ea57053414b981--

Forwarded from Exchange (user@mydomain.com):

Content-Type: multipart/alternative; boundary="001a1149a47ee5ea57053414b981"

--001a1149a47ee5ea57053414b981
Content-Type: text/plain; charset="UTF-8"

Test body

--001a1149a47ee5ea57053414b981
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">Test body
</div>

--001a1149a47ee5ea57053414b981--

I have a feeling that the DKIM fails because Exchange has added the quotes to the charset and boundary parameter values. Hopefully there is a way to disable this and then emails will pass the dkim without issue.

David
  • 53
  • 3
  • Are you sure google.com mail servers aren't just quarantining any external mail coming in with a from address of google.com or gmail.com as a matter of course? – Todd Wilcox Jun 09 '16 at 19:00
  • 2
    Yes I'm sure that's not it. it's not just google.com or gmail.com incoming emails that are marked as spam. Other domains with DMARC rules are also failing due to body hashes not verifying. – David Jun 11 '16 at 16:07
  • I am having the same problem but Exchange is also rewriting my To: headers which is what I thought was breaking DKIM, but probably it is doing this too. It is changing from eg "first.last@org.com" to: First Last . – robince Aug 10 '16 at 16:00
  • I found an article that mentions this exact issue with Exchange forwarding. The article is about hotmail transitioning to Exchange Online servers and they've noticed that Exchange "fixes up" the messages as they come in. This means some fields are modified to fit an Exchange standard, but this breaks DKIM when those messages are forwarded. The bad news is that the comments are recent as of Augist 2016 and they still haven't fixed it... https://blogs.msdn.microsoft.com/tzink/2016/05/19/why-does-my-email-from-facebook-that-i-forward-from-my-outlook-com-account-get-rejected/ – David Nov 14 '16 at 21:02

1 Answers1

0

Yes, preventing modification of emails in transit is one of the benefits of DKIM but obviously some side effects here. To pass DKIM your Exchange server must make no changes at all to the headers or DKIM will break, by design, to prevent message tampering.

It occurs to me that you might be asking how to stop Exchange from changing the headers or are you asking about DKIM's message tampering benefit/side effect depending? :-)

Neil Anuskiewicz
  • 431
  • 1
  • 3
  • 15
  • i'm looking to find out why Exchange is making these changes to all incoming emails and stop it from happening. – David Nov 14 '16 at 21:02