Hi,

I just switched my relay-server from sendgrid to Amazon SES, as some mails where blocked because some antispam-systems (e.g. Sophos) seems to identify sendgrids IPs as spam. While setting up Amazon SES, I struggled initially with DMARC verification (testmails to my google-account landed in SPAM due to failed DMARC). After getting this sorted and taking a deeper look at the mail-headers, I found the following:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@mydomain.de header.s=somerandomidentifier header.b=someheader;
dkim=pass header.i=@amazonses.com header.s=anotherrandomidentifier header.b=anotherheader;
dkim=fail header.i=@mydomain.de header.s=dkim header.b=yetanotherheader;
spf=pass (google.com: domain of 01070176862bcc6c-XXXXXXXX-8d6d-4096-b68b-XXXXXXXXXXXX-000000@eu-central-1.amazonses.com designates 69.XXX.XXX.X as permitted sender) smtp.mailfrom=01070176862bcc6c-XXXXXXXX-8d6d-4096-b68b-XXXXXXXXXXXX-000000@eu-central-1.amazonses.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mydomain.de

For me this looks like the dkim configured in Mailcow fails the check. As the first two dkim-headers pass and SPF also passes, google seems to be good to pass also DMARC in this case. However, I like to have a clean configuration and asking myself:
Is the DKIM-configuration needed in Mailcow when using a relay-server like Amazon SES, who does DKIM itself? Is it good to just delete the DKIM-keys in Mailcow for my domains?

2 months later

Hi @Pete, did you find a solution or answer to this?

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

and I am having the issue with DMARC too, how did you solve this?

16 days later

I had the same dkim fail.
Fixed it by changing the sign_headers in /opt/mailcow-dockerized/data/conf/rspamd/local.d/dkim_signing.conf
removed date:message-id:

Found this on AWS Docs, says which fields not to sign.
docs.aws.amazon.com Icon Manual DKIM signing in Amazon SES - Amazon Simple Email Service

Thanks for the reply! I also managed to solve it by setting the MAIL_FROM in the AWS SES settings to be the same as the domain I’m sending from. Just FYI.

No one is typing