Emails from StandardBank.co.za to a cPanel hosted server fails with bodyhash_mismatch – DKIM issues

Email from standardbank.co.za might fail with bodyhash_mismatch.

Since it’s a bank most people panic and think it’s their own email systems that are at fault.

Actually, it takes two to tango and big companies also have problems.

In order to settle the customer services your cPanel side, you can do this:

WHM >> Exim Configuration Manager, try turning the following option off: Allow DKIM verification for incoming messages

Updating “Allow DKIM verification for incoming messages” from “On” to “Off”.
“Allow DKIM verification for incoming messages” was updated.

This is anyway a non default. You’ll probably have more spam but less problems.

Below is an an example received from MS Office 365:

Example:

Original Message Details
Created Date: 1/10/2025 1:23:11 PM
Sender Address: [email protected]
Recipient Address: [email protected]
Subject: Whatever – Updating information
Error Details
Error: 550 5.0.350 Remote server returned an error -> 550 DKIM: encountered the following problem validating standardbank.co.za:;bodyhash_mismatch
Message rejected by: our-server.example.com
Notification Details
Sent by: DBAPR08MB5574.eurprd08.prod.outlook.com

The message is pretty ominous. It means it was modified in transit. Good luck escalating to Standard Bank.


Here is another problem with Standard Bank’s email services which goes over Microsoft to a OpenDKIM server hosted on Linux Virtualmin and causes:

opendkim[1458102]: 82A1E4B6806: failed to parse authentication-results: header field

There are two separate Authentication-Results headers in the email:

Authentication-Results: server.example.com; dkim=pass (1024-bit key; unprotected) header.d=standardbank.co.za header.i=@standardbank.co.za header.a=rsa-sha256 header.s=selector1 header.b=xFzksmAx; dkim-atps=neutral

authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=standardbank.co.za;

The second header is misleading because:

•It states dkim=none, but DKIM actually passed according to the first result.

•It contradicts the valid DKIM signature provided by selector1 for standardbank.co.za.

Why OpenDKIM Fails:

•OpenDKIM expects a single Authentication-Results header or at least a consistent structure.

•When it sees conflicting authentication results, particularly with different DKIM evaluations, it may fail to parse them.

•The lowercase authentication-results: (from Microsoft’s servers) and the correctly formatted uppercase Authentication-Results: (from your server) could also be problematic.

 

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top