O365 Email to a Cisco ASA equals DKIM FAILURE

%3CLINGO-SUB%20id%3D%22lingo-sub-1603715%22%20slang%3D%22en-US%22%3EO365%20Email%20to%20a%20Cisco%20ASA%20equals%20DKIM%20FAILURE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603715%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20having%20a%20problem%20with%20one%20email%20recipient.%20They%20are%20using%20a%20Cisco%20ASA%20ESA.%26nbsp%3B%20When%20we%20send%20emails%20to%20this%20client%2C%20they%20are%20filtered%20as%20spam%20and%20dropped.%26nbsp%3B%20I%20was%20able%20to%20get%20them%20to%20send%20me%20the%20message%20details%20from%20their%20ASA%20but%20so%20for%20not%20much%20help%20from%20their%20end.%26nbsp%3B%20The%20error%20I%20am%20seeing%20is%20a%20permfail%20signature%20did%20not%20verify%3B%20followed%20by%20a%26nbsp%3B%3C%2FP%3E%3CTABLE%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CP%3EMessage%20from%20domain%20mydomain.com%2C%20DMARC%20pass%20(SPF%20aligned%20True%2C%20DKIM%20aligned%20False)%2C%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3Enext%2C%20DMARC%20verification%20passed.%20and%20last%3C%2FP%3E%3CP%3E%3CSPAN%3EMessage%2054226780%20scanned%20by%20Anti-Spam%20engine%3A%20CASE.%20Interim%20verdict%3A%20Positive%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20no%20other%20issues%20that%20I%20am%20aware%20of%20with%20clients%20receiving%20our%20emails.%20I%20have%20ran%20several%20different%20test%20from%20a%20variety%26nbsp%3Bof%20web%20sites%20on%20our%20SPF%2C%20DKIM%20records%20and%20DMARC%20and%20they%20all%20come%20up%20valid.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20like%20their%20appliance%20simply%20refuses%20to%20receive%20emails%20from%20us.%26nbsp%3B%20%26nbsp%3BCan%20anyone%20provide%20any%20possible%20insight%20on%20this%3F%26nbsp%3B%20Email%20is%20hosted%20in%20Exchange%20Online.%20We%20do%20have%20DKIM%20and%20DMARC%20enabled.%26nbsp%3B%20The%20only%20thing%20I%20got%20from%20Microsoft%20support%20was%20to%20convert%20our%20key%20to%202048%20versus%201024.%20This%20seems%20odd%20as%20we%20are%20only%20having%20the%20problem%20with%20this%20one%20company.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1603715%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603822%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Email%20to%20a%20Cisco%20ASA%20equals%20DKIM%20FAILURE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603822%22%20slang%3D%22en-US%22%3EHey%20Jeff%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20does%20not%20seems%20to%20be%20an%20issue%20at%20your%20end.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20are%20you%20trying%20to%20send%20in%20the%20email%20%3F%3CBR%20%2F%3EHave%20you%20tried%20sending%20a%20blank%20email%20without%20signatures%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1608117%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Email%20to%20a%20Cisco%20ASA%20equals%20DKIM%20FAILURE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608117%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F754036%22%20target%3D%22_blank%22%3E%40SouravChoudhary%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%20That%20is%20my%20thought%20as%20well.%20I%20have%20ran%20several%20test%20against%20our%20DKIM%2C%20DMARC%20and%20SPF%20records%20and%20every%20test%20returns%20valid.%26nbsp%3B%20It%20seems%20to%20only%20fail%20with%20this%20one%20client%20using%20a%20Cisco%20ASA%20appliance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%2C%20I%20did%20send%20a%20test%20message%20without%20our%20signature%20even%20as%20a%20simple%20text%20only%20(no%20formatting)%20without%20a%20response%20(which%20tells%20me%20that%20failed%20as%20well).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20writing%20it%20off%20as%20a%20client%20end%20issue%20since%20no%20errors%20are%20appear%20on%20my%20end.%20I%20am%20not%20sure%20why%20MS%20recommeneded%20the%20key%20change%20since%20I%20have%20yet%20to%20find%20anything%20that%20supports%20that%20as%20a%20resolution.%20Let%20along%20making%20that%20kind%20of%20change%20just%20for%20one%20failure.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

We are having a problem with one email recipient. They are using a Cisco ASA ESA.  When we send emails to this client, they are filtered as spam and dropped.  I was able to get them to send me the message details from their ASA but so for not much help from their end.  The error I am seeing is a permfail signature did not verify; followed by a 

Message from domain mydomain.com, DMARC pass (SPF aligned True, DKIM aligned False),

next, DMARC verification passed. and last

Message 54226780 scanned by Anti-Spam engine: CASE. Interim verdict: Positive

 

We have no other issues that I am aware of with clients receiving our emails. I have ran several different test from a variety of web sites on our SPF, DKIM records and DMARC and they all come up valid.  

 

It is like their appliance simply refuses to receive emails from us.   Can anyone provide any possible insight on this?  Email is hosted in Exchange Online. We do have DKIM and DMARC enabled.  The only thing I got from Microsoft support was to convert our key to 2048 versus 1024. This seems odd as we are only having the problem with this one company. 

 

2 Replies
Highlighted
Hey Jeff,

This does not seems to be an issue at your end.

What are you trying to send in the email ?
Have you tried sending a blank email without signatures ?

Thanks
Highlighted

@SouravChoudhary 

 

Thanks. That is my thought as well. I have ran several test against our DKIM, DMARC and SPF records and every test returns valid.  It seems to only fail with this one client using a Cisco ASA appliance. 

 

BTW, I did send a test message without our signature even as a simple text only (no formatting) without a response (which tells me that failed as well). 

 

I am writing it off as a client end issue since no errors are appear on my end. I am not sure why MS recommeneded the key change since I have yet to find anything that supports that as a resolution. Let along making that kind of change just for one failure.