DKIM and Authentication-Results header - ORF Forums

I'm evaluating ORF for a customer of mine with Exchange Server 2019 (on premise). Without going into boring detail, I need to look at DKIM-signed messages (when they occur), check for valid DKIM signature, and then somehow mark the inbound email with the results of that check.

It looks like ORF's DKIM checking option allows me to alter the subject line or add a mail header in response to *failed* DKIM authentication, but there doesn't seem to be a way to mark a message as having *passed* DKIM checks. At least, I didn't think that was the case.

Then as a test, I sent a (properly) DKIM-signed message into the server, opened up the received message, and examined the headers. Lo and behold, it appears that an Authentication-Results header has been added to the message that contains just the info I need.

I ran the same message through again with the ORF service stopped, and this time there was no Authentication-Results header. Ergo, I concluded, ORF is adding this header, which is exactly what I want it to do. Yay!

But then.... then I looked at the online documentation under the DKIM Test (just checking to see if maybe more detail is there about the exact format of this header), and the documentation says, and I quote: "The optional Authentication-Results header is not appended by ORF to emails. ORF also does sign any of the outbound messages."

OK, I know about not signing outbound messages, and I've read here that that might be coming sometime in the future, but in the meantime, it's fine, I'm using the open source DKIM Signer that's been up on github forever, and it's working fine. But the documentation also is stating that the header that I just saw ORF add to my emails with my own eyes is not added to emails by ORF.

So I'm wondering if I can trust this header to be there in future versions. And also if I'm losing my mind or having some sort of bizarre SMTP hallucinations.

Can anyone shed any light on this? Thanks!

@Daniel Novak (Vamsoft): Thank you so much, Daniel. It's good to know my sanity is not in question, only the sanity of the Google search that brought me to the manual page I quoted, which (as you correctly surmised) was apparently for the 6.0 version. I believe the search I did was for "ORF Authentication-Results" and the first result of that search took me to the DKIM Test entry in the 6.0 documentation (https://vamsoft.com/support/docs/orf-help/6.0/adm-oa-dkim). I think I also tried searching for "Authentication-Results" in the Vamsoft knowledge base and that didn't lead me anywhere either. But I'm glad to know that the feature I'm looking for is there -- that's the important part.

Let me ask one more question in this general area, if I may. We've discovered, through experience, that a lot of automated emails (invoices and statements sent from vendors, for example) are sent through cloud-based bulk mailing services -- sendgrid.net, in particular -- and often these emails fail SPF checks, because the senders do not properly include sendgrid SPF info in their own published SPF information. The result of this is that it basically renders SPF a lot less useful a means of validating senders. However, it turns out that sendgrid stamps DKIM signatures on things they send out, and insist that their clients publish matching DKIM info.

So, what I'd like to do is check DKIM and SPF both, but if a message is DKIM-signed and authenticates successfully, I'd like to ignore SPF results.

ORF has the DKIM whitelist feature which I would think would help me do this, but it only works for sending domains you specifically list. I would like, instead, to say "if DKIM passes, don't bother with SPF checks," and I'd like to say this for all received, not just some senders. Is there any way to do this? The DKIM whitelist feature accepts wildcards in some places, but I don't believe it can be told to whitelist regardless of sender. Or is this another thing I don't have current documentation for?

@Tony C: Usually that's what DMARC was invented for:
"So, what I'd like to do is check DKIM and SPF both, but if a message is DKIM-signed and authenticates successfully, I'd like to ignore SPF results."

Both are checked and the DMARC glues it together. Either or both can be valid and the mail is accepted as valid. Both of them are invalid than the dmarc check fails and does usually what the DMARC policy tells or what you want to do. ;)

If DMARC is not used by the sender, than you have no control over that wanted behaviour. And btw. any MTA can create valid DKIM signatures, it is not a requirement, that a sender has to use a matching signing (sub)domain (except when using DMARC and DMARC validation). So this is not a really good indicator in my eyes. It only shows, that the mail was not tempered within transport (at least to some level).

As your bulk mailing scenario: The SPF is not worth a lot, because the return path domain usually is not bound to the author domain. So even if it is a valid SPF check, if DMARC is in use it will happen that the SPF check is not used because its not the same domain or a subdomain of the Author Sender Address.

Hope that makes sense ;)
Norbert