Dmarc fails with Microsoft (related to multiple signatures?)

My client has an email provider that is using AWS for sending emails. This works fine and emails are DKIM signed with proper alignment.

On some emails, the client (using O365 for incoming emails) puts themselves as BCC. These emails are delivered Dmarc compliant and without issues to the recipient in TO.

At the recipient in BCC (same as the sender) Microsoft claims that Dmarc fails. The header of the email to the BCC address is available below. SPF is not aligned for reasons so we need to rely on DKIM. The email contains 2 DKIM signatures, one aligned with the sender. Microsoft does however not seem to use this signature for evaluation, is that correctly interpreted from my end?

Why does this email pass Dmarc with the recipient in TO (at Google) and not with the recipient in BCC (at Microsoft)?

Authentication-Results: spf=pass (sender IP is 54.240.3.18)
 smtp.mailfrom=eu-west-1.amazonses.com; dkim=pass (signature was verified)
 header.d=amazonses.com;dmarc=fail action=quarantine
 header.from=client-domain.com;compauth=fail reason=000
Received-SPF: Pass (protection.outlook.com: domain of eu-west-1.amazonses.com
 designates 54.240.3.18 as permitted sender) receiver=protection.outlook.com;
 client-ip=54.240.3.18; helo=a3-18.smtp-out.eu-west-1.amazonses.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=x7p3csefwpnc4doyyxbwyl34ozlaiizg; d=client-domain.com; t=1725179837;
	h=From:Reply-To:To:Subject:MIME-Version:Content-Type:Message-ID:Date;
	bh=yfazGShthFakbrrj6CUQq+aA4j9PGLB+w9S64PhnoA8=;
	b=Yvoz2yvqXAtdO/NAE74fj+TRAoBVvgwbn81NSX5dV//T27UpRM3TeEnjhukFH2XA
	eEDT9mmk8t5GHZwMUtlewqJ1vGMZsl4NzhEFFxSGIvYzGyl6FURJVaR2pZH5QjzVbMZ
	aP1nnB5U81grskpymIgA+1pG0Vd49SF2iSHpEkwI=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=uku4taia5b5tsbglxyj6zym32efj7xqv; d=amazonses.com; t=1725179837;
	h=From:Reply-To:To:Subject:MIME-Version:Content-Type:Message-ID:Date:Feedback-ID;
	bh=yfazGShthFakbrrj6CUQq+aA4j9PGLB+w9S64PhnoA8=;
	b=XeL/vdW1ExcPnsZkVZ5iBSqHPLh3sefrOJpiMoPd7e8eC59XUGlF2/9+A3WzBQ5t
	JTNXnEMtAu9SUwn5FnL4AhmfttZyPJlrM47Z996oatPhz7ZV/QyD80LCL72iDqWf7V8
	WUKSjRXg9jWssEcr+1d9Xnl727TKo7+0TZQco3xY=
From: =?UTF-8?Q?Sender?= <info@client-domain.com>
Reply-To: info@client-domain.com
To: random-address@gmail.com
1 Like

Hi Vindruva,

The recipient at the To or BC or BCC fields wouldn’t matter. Those headers are not taken into account when verifying the sending domain for DMARC. Moreover, the commands that determines where an email is delivered to is RCPT TO during the early SMTP conversation, prior to the DATA command through which the body and by extension the headers are submitted by the sending server.

If the issues only occur when the sender and recipient are on the same domains, and only with Microsoft, then I would open a support case with Microsoft. There is no known behaviour that would cause DKIM not to function properly, and the number of signatures would not matter. It is common for multiple DKIM signatures to appear in emails.

Very interesting issue, and I invite you to post a follow up if you speak to MS support on this issue.

1 Like