Warum stehen mehrere DKIM-Signaturen im E-Mail-Header?

DKIM fügt der bestehenden E-Mail-Übertragung eine End-to-End-Authentifizierungsfunktion hinzu. Das heißt es können mehrere E-Mail-Hops (Sprünge bzw. Weiterleitungen) zwischen der Signierung und der Verifizierung liegen. Deshalb verbleiben die DKIM-Signaturen der anderen Hops in der E-Mail-Kopfzeile. Schlussendlich prüft der Empfangene Server aber nur den letzten Hop also den letzten Server, der die E-Mail einliefert und macht hier dann die typische DKIM-Prüfung.

Hier mal ein Beispiel – von unten nach oben lesen! ;):

Delivered-To: testaccount@gmail.com
Received: by 2002:a17:906:2c16:b0:9c5:b4f8:21be with SMTP id e22csp560258ejh;
Tue, 7 Nov 2023 11:18:25 -0800 (PST)
X-Google-Smtp-Source: AGHT+IE7MneqgeVx6ZjyiSu6YMDzR+Lsawn16/LdTuXRx9hF1PGns/fmTtjlWeUhDhb7MTAy4Pr3
X-Received: by 2002:a05:6000:1209:b0:32d:9d3a:d8c0 with SMTP id e9-20020a056000120900b0032d9d3ad8c0mr23803967wrx.60.1699384705445;
Tue, 07 Nov 2023 11:18:25 -0800 (PST)
Return-Path: <prvs=0668390c39=maffert@beispiel.de>
Received: from mx-relay04-hz2.antispameurope.com (mx-relay04-hz2.antispameurope.com. [83.246.65.90])
by mx.google.com with ESMTPS id 11-20020a056000154b00b0032d8fdc588esi2364868wry.58.2023.11.07.11.18.25
for <testaccount@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 07 Nov 2023 11:18:25 -0800 (PST)
Received-SPF: pass (google.com: domain of prvs=0668390c39=maffert@beispiel.de designates 83.246.65.90 as permitted sender) client-ip=83.246.65.90;

3 – GMAIL verifiziert die DKIM Signatur:

Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@beispiel.de header.s=selector2 header.b=D2DwPclX;
dkim=pass header.i=@beispiel.de header.s=hse1 header.b=TdXZXLfR;
arc=fail (body hash mismatch);
spf=pass (google.com: domain of prvs=0668390c39=maffert@beispiel.de designates 83.246.65.90 as permitted sender) smtp.mailfrom=“prvs=0668390c39=maffert@beispiel.de“;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=beispiel.de

Return-Path: <prvs=0668390c39=maffert@beispiel.de>
Received: from mail-fr2deu01lp2169.outbound.protection.outlook.com ([104.47.11.169]) by mx-relay04-hz2.antispameurope.com; Tue, 07 Nov 2023 20:18:24 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RWumlTOTEXqSDPGR23wPMIXbjwP9Aw2pFvnR26afYtXNo+52nKwn0dawloHIwIF0II1a4fi/p8k8ibouaxL6RFiWnDo0yXala4oOnvh3L8OzYFBKQPD1kJyHM4ximJKTshCuZK7ouJirwkVFILQet7WrpT8azqGaHcbxycnF3U4EIiGibDP9AAnYtgSm2uHyrqHm6+fdYJv6tt/t/93aE7BaHHGRggNP7nhvtgY9+I+T1+v9JNQ72TbG2jiBllshWC+SQcBigwlFWTN8dHFPqEvJZVopYbF9rpERrg6Hq/VnnOBy/bFDH2uaryuZskhj9Vms/JvnZ7oovkhoGfhz9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vKKGPLDnoF7rbOhA3iJzfhLJ3g9Rxp8/ADLqqpDb8vM=; b=UHkluwicMZIa72EeC4+V9dz7sAUXXmPkxJSBGiip7jx5+T6jhMwNh1W2bhkpHC13yODt1liGce/gFGvslpwSoswafO+naTGWdV9+zqbV1wMk6rX9TtdgZAreGTwYNSZxzhIdE3IXMaIjIpZEWJxcZ6gISjicvucuGwCLP6cF9yvmOVDxsuNKVNRWNmTrmgHl2+FoVgdqKwRigLtkEfacDBnPPAN+0+EL+mciwyQDeTOR7+SXMhVpjXLQf3AyIldF7FkRovTsvtHjBle325iUFG+o6nBwcg4ijMYVt2wknjfeBmrugn2lNLmi/T7n4bM++EeDenG3ik6XeFkJQQBVbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 20.79.220.33) smtp.rcpttodomain=gmail.com smtp.mailfrom=beispiel.de; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=beispiel.de; dkim=none (message not signed); arc=none (0)

1 – M365 bzw. Exchange Online signiert die Nachricht:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beispiel.de; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vKKGPLDnoF7rbOhA3iJzfhLJ3g9Rxp8/ADLqqpDb8vM=; b=D2DwPclXQZkadkBH/UzwPeApwGYPQ2XbTIk+xkdIjlY9D4/S9gYuwnRmIsxC37RsdNvsVCKd8tWYZUSB1FVKQVX772cyEXMFBAMTdbKOMC9ocl+kGUa1htRwOhWjqnYrIy+l3K/lpMpy3KYixPw2wxwxhFeWgxjW41I7bDxInqsB0L4jO/t84lxSHineIJaFiyydXeESqNgrFYBBu2mptVD96x3FBM7MSUcsqCIfHOFOLKLMhBGdHfQbLQgt8r80bwh7EwR9VNk3Jp/aaA3AaYjQSY+s8NsnKlhOw6zF3saTDLd/adzyv+2J+CmnU9PNhdW95hCeoXdueRw+nCrdKw==

Received: from AM6PR0502CA0058.eurprd05.prod.outlook.com (2603:10a6:20b:56::35) by BE1P281MB1619.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:1b::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.29; Tue, 7 Nov 2023 19:18:14 +0000
Received: from AMS0EPF000001AE.eurprd05.prod.outlook.com (2603:10a6:20b:56:cafe::cb) by AM6PR0502CA0058.outlook.office365.com (2603:10a6:20b:56::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28 via Frontend Transport; Tue, 7 Nov 2023 19:18:14 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.79.220.33) smtp.mailfrom=beispiel.de; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=beispiel.de;
Received-SPF: Pass (protection.outlook.com: domain of beispiel.de designates 20.79.220.33 as permitted sender) receiver=protection.outlook.com; client-ip=20.79.220.33; helo=de1-emailsignatures-cloud.codetwo.com; pr=C
Received: from de1-emailsignatures-cloud.codetwo.com (20.79.220.33) by AMS0EPF000001AE.mail.protection.outlook.com (10.167.16.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.17 via Frontend Transport; Tue, 7 Nov 2023 19:18:13 +0000
Received: from DEU01-FR2-obe.outbound.protection.outlook.com (104.47.11.169) by de1-emailsignatures-cloud.codetwo.com with CodeTwo SMTP Server (TLS12) via SMTP; Tue, 07 Nov 2023 19:18:12 +0000
Received: from BEZP281MB3045.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:2e::8) by BE1P281MB2434.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:34::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.25; Tue, 7 Nov 2023 19:18:11 +0000
Received: from BEZP281MB3045.DEUP281.PROD.OUTLOOK.COM ([fe80::d9c:f9f7:8aa5:bc4]) by BEZP281MB3045.DEUP281.PROD.OUTLOOK.COM ([fe80::d9c:f9f7:8aa5:bc4%3]) with mapi id 15.20.6954.029; Tue, 7 Nov 2023 19:18:11 +0000
From: Tobias Maffert <maffert@beispiel.de>
To: „testaccount@gmail.com“ <testaccount@gmail.com>
Subject: Test für maffert.net
Thread-Topic: Test für maffert.net
Thread-Index: AdoRryIXoWeMclabTAyb22Vty0iD2g==
Date: Tue, 7 Nov 2023 19:18:10 +0000
Message-ID: <BEZP281MB30455D0ERRGEFGBHB222B3F3A9A@BEZP281MB4000.DEUP281.PROD.OUTLOOK.COM>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-cloud-security-sender: maffert@iok.net
X-cloud-security-recipient: testaccount@gmail.com
X-cloud-security-Virusscan: CLEAN
X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-relay04-hz2.antispameurope.com with E21E5B54326
X-cloud-security-connect: mail-fr2deu01lp2169.outbound.protection.outlook.com[104.47.11.169], TLS=1, IP=104.47.11.169
X-cloud-security-Digest: 95fd4557c78458e804d4b78f774b14c1
X-cloud-security: scantime:3.864

2 – Hornesecurity (Security Gateway) signiert die Nachricht, hängt diese aber ganz unten an:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iok.net; h=from:to :subject:date:message-id:references:mime-version:content-type;
s=hse1; bh=Kubmxi9z2v2ly910IFRboowYa4DS/iBZql0SQ0THGlI=; b=TdXZ XLfRPh23yyyKy5kDaNjs76R53JJ2b0LOLWCC5jrug6HTb3Gt380s8EFmcnESGwDX uRIo6ppO+hOhVVX5hE/TZ6GYuhSc7JQO1W59EtkWKP6E+NoQ9/RmHwVUgvptGqpN ebcOidNlE4vklI6SeCIQGaABINqTJm0FfQtsxJmEe4EiZastczMQKjUQ16s8BbLw FWJgeXzxzDUGmZEIfeAQJyGouqDmv2KJE8NZP4v6++QlwsJtvm1o3/E5gm3pKDR0 j7G6v3YK6bEt/YKvLxUJ6aitVS2ywbaqhNqwaqIrj/6dGqwi5TPRW7AQFJGyFEeW kyDGT+yemBa1hI4tlg==

….