This is an automated archive.

The original was posted on /r/sysadmin by /u/The-2-DB on 2023-09-27 10:21:57+00:00.


I’ve been helping my organisation deal with an issue where emails from @myorg.onmicrosoft.com to more than one Gmail address will cause Gmail to block the message to all recipients (see here for more info).

I’ve confirmed that SPF, DMARC and DKIM is configured correctly for my domain using

When I look at the headers of an email from my domain to a Gmail address, I see the following (excerpts included below)

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;...
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;...
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=myorg.onmicrosoft.com; dmarc=pass action=none
 header.from= myorg.onmicrosoft.com; dkim=pass
 header.d= myorg.onmicrosoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d= myorg.onmicrosoft.com; s=selector2-myorg-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=x...

From: Joe Boggs [joe@myorg.onmicrosoft.com](mailto:joe@myorg.onmicrosoft.com)
To: "[test@dkimvalidator.com](mailto:test@dkimvalidator.com)" [test@dkimvalidator.com](mailto:test@dkimvalidator.com)
Subject: Hello
Thread-Topic: Hello
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=myorg.onmicrosoft.com;

My question is why does the authentication-results header say ‘message is not signed’ but the ARC-Authentication-Results header says DKIM has passed?