Discussions on webmail and the Professional version.
Post Reply
Posts: 6
Joined: Fri Oct 20, 2017 1:12 pm
Location: Florida, USA


Post by doberman » Sat Nov 11, 2017 1:10 pm

I have a filter setup to catch DKIM Fail and then pass those emails to quarantine for further review. Many times when I test these DKIM failures at other sites,, and, the DKIMs pass. How is MailEnable processing different form other leading sites?

Here is an example of a failed DKIM by MailEnable.

Code: Select all

Received-SPF: pass ( domain of designates as permitted sender)
Received: from ([]) with MailEnable ESMTPS; Sat, 11 Nov 2017 07:04:11 -0500
DKIM-Signature: v=1; a=rsa-sha256;; s=prod-selector; c=relaxed/relaxed;
	q=dns/txt;; t=1510387448;
X-MSFBL: amVnbGlAYXBwbHluZXR3b3Jrcy5jb21AdHJhbnNhY3Rpb25hbF80WDQ4QHRyYW5z
Date: Sat, 11 Nov 2017 01:04:08 -0700
From: "American Express" <>
Reply-To: "" <>
To: <>
MIME-Version: 1.0
Subject: =?UTF-8?B?WW91ciBOb3ZlbWJlciAyMDE3IFN0YXRlbWVudCBpcyBSZWFkeQ==?=
Message-ID: <>
Content-Type: multipart/alternative;
X-ME-CountryOrigin: US
X-ME-Bayesian: 0.000000
DKIMpass.png (45.67 KiB) Viewed 13759 times


Brett Rowbotham
Posts: 543
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: DKIM Fail

Post by Brett Rowbotham » Mon Nov 13, 2017 5:48 am

It looks as if you are checking that there is a valid DKIM key rather than checking the email itself.

Use the checker at and paste the entire raw contents of the email to check whether DKIM is passing or failing.


Posts: 6
Joined: Fri Oct 20, 2017 1:12 pm
Location: Florida, USA

Re: DKIM Fail

Post by doberman » Mon Nov 13, 2017 11:26 am

I ran the email through the site that Brett recommended (thanks!) and the results were:
Results: fail
signature identity:
verify result: fail (body has been altered)

What are the different validation processes that occur when checking the DKIM key vs checking the email itself? I mean, why does the DKIM key validate (including SPF and DMARC), but the email as a whole fails? I've tried to locate information on this, but could not.

Thank you.

Posts: 6
Joined: Fri Oct 20, 2017 1:12 pm
Location: Florida, USA

Re: DKIM Fail

Post by doberman » Sat Nov 18, 2017 11:29 am

I continue to get more DKIM Fail messages when the actual key is valid. Could someone explain how MailEnable evaluates emails with DKIM signatures? I've looked in the documentation and it seemed that if the DKIM signature passed, then everything was okay.

Latest DKIM Fails from:
  • (when signing up for subscription)
I don't mean to be a pain, but I'm just trying to understand this process. Thanks! :)

Posts: 1364
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Re: DKIM Fail

Post by MartynK » Mon Feb 12, 2018 1:48 am

Did anyone get to the bottom of this, I am having the same problem and well known domains are failing ?

Posts: 1
Joined: Sun Mar 04, 2018 6:41 am

Re: DKIM Fail

Post by kenedy » Sun Mar 04, 2018 6:45 am

I am supporting Brett Rowbotham's ideas and comments....
Graduated from [url=] Soran [/url] University with First Class Degree with Honours in Computer Science.

Posts: 52
Joined: Wed Aug 20, 2008 9:18 pm

Re: DKIM Fail

Post by dbly » Tue Apr 24, 2018 10:17 pm

DKIM is used to sign the contents of the message to insure that the message body and key headers haven't changed since it was composed. Something to remember is while the KEY may be valid, it may not be the CORRECT key for the message.

Think of it this way - in your pocket you have a ring of keys. Each of those keys goes to different locks. Each of those keys, in and of itself, is a good key. They are valid.

However, the key to your house isn't valid for your car. The key for your car isn't valid for the lock on the shed. The key for the shed isn't valid for your spouse's car, etc.

When you test the key in most online test suites you are really only testing the key for valid syntax. You are not testing to see if the key actually matches the message that it is being used to sign. In many of the tests they don't even give you the ability to upload the message so it can even be checked.

One notable exception to this one ( ) that as posted earlier in the thread. That one *DOES* validate the key against the message instead of just checking to see if the key is properly constructed.

I see DKIM failures on my systems all of the time, and not just from minor domains either. For example my users get a lot of notifications from American Express, and anything and everything that comes from fails DKIM testing because while the message is signed they neglected (at least as of the date that write this) to put their public key in DNS, and as such the message can't be checked against it and it fails. However, the messages from to the same users do have valid signatures.

Post Reply