Problem

If "Enable DKIM Verification" is selected for any given receiving connection policy, but "Drop messages with invalid DKIM signature" is not checked, MailGate will add the DKIM verification result to its X-TMWD-DKIM header.

Administrators may opt to use the header values when creating content policies.

Resolution

Blocking specific headers in this case may prove to be a bit tricky, as the header value is not intended to be a simple pass/fail scenario, it rather contains the actual outcome of the verification and the relevant message / errors.

It also depends on how strict one is with the DKIM connection policy [whether "Require DKIM signature for all messages - treat missing signature as invalid" is enabled] and the domain policy in the DNS for the domain being checked.

A policy can be created, based on the header value under Content Policies > Inbound Policies > New filter policy; selecting "Headers" and then "Specific contents in the following headers". The X-TMWD-DKIM header can be selected from the list of Standard Headers.

Most common headers are:

When message successfully passed the verification:

X-TMWD-DKIM: Passed DKIM verification

Depending on the DNS policy, if the signatures are missing, the message will get one of the following:

X-TMWD-DKIM: No DKIM signatures from the sender domain
X-TMWD-DKIM: missing signatures

Note: Possible DNS policies are:

o=~ NEUTRAL or RELAXED (signature optional)
o=- STRONG (signature required, but not necessarily from my domain)
o=! EXCLUSIVE (signature required, and it must be from my domain) *
o=. NEVER (this site doesn't send mail)

If there is no signature, but the DNS policy does not exist or is relaxed, the message will get:

X-TMWD-DKIM: no signatures required

If the message body hash does not meet the value (indicates changes made after DKIM signing), the message will get:

X-TMWD-DKIM: message body does not hash to bh value

If the message is signed with the wrong key, the header will be:

X-TMWD-DKIM: RSA verify failed

If the domain does not exist in the DNS, the header will be:

X-TMWD-DKIM: Sender domain could not be found.

These are the most common use cases. Other errors/problems may also occur, and the value will be changed to reflect the check result.

Ultimately, it is up to the administrator which use cases one would like to block. Alternatively, the logic can be reversed to only allow some of the headers (such as "X-TMWD-DKIM: Passed DKIM verification", "X-TMWD-DKIM: no signatures required"; "X-TMWD-DKIM: Sender domain could not be found", etc.)

Regardless of the decision, it is recommended to test out the policy before setting it to do any restrictive action. The best way to do it is to create the IF conditions the way you need them to be, but set the action to be "Continue Processing" and then tag the message with a custom tag. This will allow you to filter the messages that have triggered the policy (in tracking > messages > advanced search > messages containing tag...). This will allow you to check whether the messages, triggering the policy are indeed unwanted or the policy needs to be tweaked.