How to fix google dkim=neutral (body hash did not verify)

Ref Synology NAS > DS118 > Package > Mail server
SPF DKIM DMARC is activated > DKIM Selector=key1

My ISP block Outgoing Port 25 to solve this
by using Dynu SMTP Outbound RELAY Services
I create Dynu Private and Public keys > DKIM Selector=key2
Finally I get my mail server running

Mails sending to gmail.com > SPF=pass DKIM=neutral DMARC=pass
Google Authentication-Results: dkim=neutral (body hash did not verify)

My DNS Zone setup, see below

QST How to fix google dkim=neutral (body hash did not verify)

Hope somebody can help me out…

Thx Robert (PL)

Hello Rob76,

The issue could be several things, and it would likely be difficult to hone in the problem without a thorough review of the infrastructure at play.

The error dkim=neutral (body hash did not verify) implies there is modification in some ways occurring during the email path to delivery. First off, have you verified that the correct key pairs are being used? Meaning, the public key published in your DNS is the correct key for the pair used with the selector in question?

In this example, is the DKIM signing done by Dynu outbound gateway, or something else beforehand?

AM

Thx for your reply,

AM, There is modification in some ways occurring during the email path to delivery.
Agree, yes I try out add some commands like include: not working…

AM, Have you verified that the correct key pairs are being used?
Yes, Tested with Dmarcian DKIM Records checker all ok.

AM, Is the DKIM signing done by Dynu outbound gateway, or something else beforehand?
Dynu DomainKeys Identified Mail (DKIM)
Step 2 : Save the private key on your email server for easy reference.

To solve my problem I change philosophy using the 2 DKIM key’s:
01 Client connect to the server using IMAP-SSL Port 993 (secure connection).
02 Dynu SMTP Relay using TLS Outgoing Port 587 (secure connection).
03 Dynu DKIM Public key2 are in place to control mail transfer (Secure).
Mains all communication IN and OUT the mail server is secure connected.

QST Do I still need the DKIM DMARC from my Synology mail server?
I don’t thinks so, maybe I am wrong tell me…

So I disable DKIM DMARC in the mail server and remove DKIM key1, DNS TXT Record.
From here I test Gmail again SPF DKIM DMARC resulting ALL PASS.

AM, It is working for now

Best regards Robert (PL)