I am able to consistently reproduce an issue where if an inbound message has 2 DKIM signatures the second signature verification always fails. In my test the first DKIM is representing the From domain and the second is the Service Provider using an identity tag.
The log shows this..
2015-03-26 14:11:52 1Yb8Vk-0000nh-OF DKIM: d=fromdomain.com s=dkim c=relaxed/relaxed a=rsa-sha1 t=1427379109 x=1429971109 [verification succeeded]
2015-03-26 14:11:52 1Yb8Vk-0000nh-OF DKIM: d=ProviderDomain.com s=dkim c=relaxed/relaxed a=rsa-sha1 i=@ProviderDomain.com<
mailto:i=@ProviderDomain.com> t=1427379109 x=1429971109 [verification failed - signature did not verify (headers probably modified in transit)]
I don’t think that its a problem with the the signature as far the hash being invalid because both DKIM signatures are using the same exact hash. I can see this in the DKIM header. I have also tested the same type of messages and they all validate with other providers like gmail and yahoo. In addition I am pretty sure it’s not specific to the Identity domain because if I send the message by itself without the "From DKIM" the identity verifies correctly (shown below.)
2015-03-26 14:20:22 1Yb8dy-0000no-Al DKIM: d= ProviderDomain.com s=dkim c=relaxed/relaxed a=rsa-sha1 i=@ProviderDomain.com<
mailto:i=@ProviderDomain.com> t=1427379618 x=1429971618 [verification succeeded]
I also see this error occurring on multiple installations but for my testing I am using Exim version 4.82 #3 built 25-Feb-2014 16:39:20, I didn’t see any DKIM changes in the release notes since this version.
Could there be some issue with Exim modifying the message after it does the first DKIM check, which is causing the second check to fail? I only see the received header as being added in the final message and the DKIM h= value doesn’t contain received. (h=list-unsubscribe:mime-version:from:to:date:subject:content-type:content-transfer-encoding;)
Bill Volz
--