DKIM: encountered the following problem validating domain : bodyhash_mismatch

[lfpiaggio]

Hello, guys.

I have 2 cpanel's servers. CP4 and CP6

A client opened a support saying that the email has been returned.

What the client sent:

Return-path: <[email protected]>
Received: from [IPREMOVED] (port=54890 helo=DESKTOPTSBTF9A)
by domain-cp4.domain.com.br with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <[email protected]>)
id 1fgW6M-000Fkw-EC; Fri, 20 Jul 2018 11:09:50 -0300
From: "Luiz Portnoi" <[email protected]>
To: "'Eliezer'" <[email protected]>
References: <[email protected]od.outlook.com> <[email protected]od.outlook.com>,<[email protected]od.outlook.com> <[email protected]od.outlook.com>,<[email protected]od.outlook.com> <[email protected]od.outlook.com>,<[email protected]od.outlook.com>,<[email protected]od.outlook.com>,<[email protected]od.outlook.com> <[email protected]od.outlook.com>,<[email protected]od.outlook.com> <[email protected]od.outlook.com>,<FR1PR80MB0069 78F84DD297A1B
A [email protected]80.prod.outlook.com> <[email protected]od.outlook.com>,<[email protected]od.outlook.com> <[email protected]od.outlook.com>,<[email protected]od.outlook.com> <[email protected]od.outlook.com>,<[email protected]> <[email protected]od.outlook.com>,<[email protected]> <[email protected]od.outlook.com> <007b01d4202b$ff46ce60$fdd46b20$[email protected]>
In-Reply-To: <[email protected]>
Subject: =?iso-8859-1?Q?ENC:_{Spam=3F}_Re:_{Spam=3F}_Re:_{Spam=3F}_Re:_ES_M=D3VEIS?=
=?iso-8859-1?Q?_EIRELI_-_ME_AP_81.0118.0014433?=
Date: Fri, 20 Jul 2018 11:11:14 -0300
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0071_01D4201A.5FFF1C60"
X-Mailer: Microsoft Outlook 15.0
Content-Language: pt-br
Thread-Index: AQD6bWQcLwIq180ZedSlzPgmh5+dKgHPM72zAkzXcrQBhIkJJQGwBAQSAX/LZbQBU3tsEQDAOwEOAmGqXYUB9kGqUwJsxxH7AeSh9rUCdZ6WtAJLZiBjAftNP+YBndXrdwIffz0sAkCiEAoCXTlPjgLHxu6+AbvuODwBikCGfQD8qchppP4K7XA=
X-cPanel-MailScanner-Information: Please contact the ISP for more information
X-cPanel-MailScanner-ID: 1fgW6M-000Fkw-EC
X-cPanel-MailScanner: Found to be clean
X-cPanel-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=1.122, required 3, ALL_TRUSTED -1.00, AWL -2.38,
BAYES_00 -1.90, CPANEL_LOTS_OF_EMPTY_LINE 0.80, HTML_MESSAGE 0.00,
KAM_NUMSUBJECT 0.50, LOTS_OF_MONEY 0.00, URIBL_BLOCKED 0.00,
URIBL_SBL 5.00, URIBL_SBL_A 0.10)
X-cPanel-MailScanner-SpamScore: s
X-cPanel-MailScanner-From: [email protected]
X-Spam-Status: No
X-Exim-DSN-Information: Due to administrative limits only headers are returned

I had tested with a account [email protected] sending e-mails to [email protected] and [email protected]. And it doesn't appear problem with the DKIM.

What can it be?

The DKIM assinature of two domains is fine. I have been tested it on mailtester.
The CP4 and CP6 is different servers, but in same local.

Look the prints bellow

 

[lfpiaggio]

The problem appear when the server was updated to version v72.0.10

 

[cPanelLauren]

Hi @lfpiaggio


Based on the header output (which I modified to remove the actual domain names) it looks like you're using MailScanner because this isn't something directly supported by cPanel I'd like to know if you're still getting the error with it disabled.

Also out of curiosity I'd like to know what you have set for the following at WHM>>Service Configuration>>Configuration Manager:

Allow DKIM verification for incoming messages
By default, Exim verifies syntactically valid signatures in incoming mail, even when Exim is not configured to act on the results of the check. This verification process can degrade your server's performance.

Reject DKIM failures
Reject mail at SMTP time if the sender fails DKIM key validation.

 

[lfpiaggio]

Hi @lfpiaggio


Based on the header output (which I modified to remove the actual domain names) it looks like you're using MailScanner because this isn't something directly supported by cPanel I'd like to know if you're still getting the error with it disabled.

Also out of curiosity I'd like to know what you have set for the following at WHM>>Service Configuration>>Configuration Manager:

Allow DKIM verification for incoming messages
By default, Exim verifies syntactically valid signatures in incoming mail, even when Exim is not configured to act on the results of the check. This verification process can degrade your server's performance.

Reject DKIM failures
Reject mail at SMTP time if the sender fails DKIM key validation.

As i said:

Its happens sometimes with our clients.

I tested and it doesnt not appear problem with the dkim key.

The dkim verification qnd reject fails is enabled

 

[lfpiaggio]

Its look something about Outlook that change the dkim Key?

This is the 3rd client's support.

 

[lfpiaggio]

I tried to emulate the fail dkim, with the same configurations of outlook client of my client. Same domain to same recipients. But it doesnt appear the erro and the msg delivery with sucess

 

[cPanelLauren]

As i said:

Its happens sometimes with our clients.

I tested and it doesnt not appear problem with the dkim key.

The dkim verification qnd reject fails is enabled

I understood what you said but mailscanner has been known to cause issues similar to this. Because it's a 3rd party plugin which is not supported by cPanel and this behavior does not normally occur on systems with cPanel's default configuration I want to rule this out as a cause. Please let us know if the issue persists with MailScanner disabled.

 

[lfpiaggio]

Without sucess...

What you think about refresh time in zone differents of servers?

 

[cPanelLauren]

Hi lfpiaggio

I can't see that being related to the issue at hand at this point (this long after a modification). If you're still having an issue with the DKIM records getting hash mismatch errors can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[QAZwsxED]

I recently solved a similar issue.
Solution: manually add a Message-Id (note not a Message-ID) header then connect and send an email.
cPanel WHM adds a Message-ID header and re-arranges the 'h' record in the DKIM signature which invalidates it, causing a DKIM:fail in the recipients mailbox.