Email mail servers preserve other DKIM signatures in the email header
search cancel

Email mail servers preserve other DKIM signatures in the email header


Article ID: 171940


Updated On:




As an administrator, I would like to setup multiple email hops to do DKIM signing. What happens with the DKIM signatures in the email headers from other hops after the email goes the Email mail servers.


DKIM adds an end-to-end authentication capability to the existing email transfer infrastructure.  That is, there can be multiple emails relaying hops between signing and verifying. Therefore the DKIM signatures from other hops will remain in the email headers but the recipient mail server would verify and take into account the last hop DKIM signing the email. 

Refer to the bolded part of the sample email header below (read it from bottom to top):

Return-Path: <[email protected]>
Received: from ( [<server IP >])
        by with ESMTPS id 18-v6si503848qkj.198.2018.
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 22 Jun 2018 08:56:51 -0700 (PDT)
Received-SPF: pass ( domain of [email protected] designates <server IP > as permitted sender) client-ip=<server IP >;

3. Gmail verifying the DKIM signature

       dkim=pass [email protected] header.s=SYM03232018 header.b=Zv8sjHoB; (SYMANTEC.CLOUD)
       dkim=neutral (body hash did not verify) [email protected] header.s=selector2 header.b=y1HB3naa; (OFFICE 365)
       spf=pass ( domain of [email protected] designates >server IP > as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)

Return-Path: <[email protected]>

2. DKIM signing the message.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=SYM03232018; t=1529683009; [email protected]; bh=8KYAUJJ+0s37Utidr/61hEzREiUX6mQ+g8BrPmPSA9s=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=Zv8sjHoBzOZVWwZMyhi5h5volmYDiBZEFNycu1xTs8v+1d7vJNJ2t7sdyHxndqJTH

Received: from [<server IP >] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by id 7D/41-22251-14C1D2B5; Fri, 22 Jun 2018 15:56:49 +0000
X-Env-Sender: [email protected]
X-Originating-IP: [<server IP>]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Version: 9.9.15;,-,-
X-VirusChecked: Checked
Received: (qmail 14422 invoked from network); 22 Jun 2018 15:56:48 -0000
Received: from (HELO (<server IP>)
  by with AES256-SHA256 encrypted SMTP; 22 Jun 2018 15:56:48 -0000

1. Office 3365 DKIM signing the message.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qGnoEhWGzsMB145HjS64JoKeeGFq9QiFE8GSROCBe+k=; b=y1HB3naafucjXM0DnGpaBLMHQQRzhEWTwiJUUVRgiZCTiSwQ6S01powNS2IEeUTnLRElWRwSpSxSHSZIwS5OU5wJVVIKSKM11Sm0aI25z5FeNRVJZt1DOE0gC051DcfmD5lVkuhWj7W2G5lcBMr9cni0FuKDRz++h90Vt59C+LU=

Received: from (<server IP>) by (<server IP>) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.21; Fri, 22 Jun 2018 15:56:45 +0000
Received: from ([fe80::550a:d886:1f0e:cb5]) by ([fe80::550a:d886:1f0e:cb5%4]) with mapi id 15.20.0884.021; Fri, 22 Jun 2018 15:56:45 +0000
From: Test User <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Test DKIM Signing
Thread-Topic: Test DKIM Signing
Thread-Index: AdQKQZ0RV2R3uW7oTGiBIfqnt411wA==
Date: Fri, 22 Jun 2018 15:56:45 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_BYAPR14MB2294FBFCC3A01C43C41931DEDF750BYAPR14MB2294namp_"
MIME-Version: 1.0

Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Test DKIM Signing