DMARC and DKIM alignment with multiple DKIM signatures

Question

If an email contains multiple DKIM signatures as it's forwarded, how does DMARC process the DKIM alignment check?

Does ANY passing DKIM signature d= parameter have to match Header From?

or

Does the first (or last) DKIM signature d= parameter have to match Header From?

or

Does the single DKIM as indicated in the "Authentication-Results" have to pass (which may always be the last?)?

This is NOT a question of relaxed vs. strict.

Thank you!

were you ever able to find the answer to this question? – caradrye Sep 14 '18 at 19:50 — caradrye, Sep 14 '18 at 19:50

score 5 · Accepted Answer · edited Oct 07 '21 at 07:34

5

According to DMARC specification: https://www.rfc-editor.org/rfc/rfc7489

Note that a single email can contain multiple DKIM signatures, and it is considered to be a DMARC "pass" if any DKIM signature is aligned and verifies.

edited Oct 07 '21 at 07:34

Community

1

answered Jan 03 '19 at 03:36

Messa

219
3
8

score 4 · Answer 2 · answered Sep 14 '18 at 20:06

4

If there are multiple DKIM signatures, only one of them must align for DKIM alignment to be valid according to https://mxtoolbox.com/problem/dkim/dkim-signature-alignment

answered Sep 14 '18 at 20:06

caradrye

141
3

DMARC and DKIM alignment with multiple DKIM signatures

2 Answers2