PMG 9.0.10: DKIM_INVALID (BODY HAS BEEN ALTERED) for valid mails (Booking.com, Strato, M365)

jhobohm

New Member
Jul 1, 2026
2
1
3
Hello,

after migrating from another mail gateway to Proxmox Mail Gateway 9 we are seeing many false positives caused by DKIM validation.

Environment:

PMG 9.0.10
SpamAssassin 4.0.2
libmail-dkim-perl 1.20240923-1

pmgversion:

<Ausgabe von pmgversion -v>

Problem:

Several legitimate mails from different providers are classified as

DKIM_INVALID
KAM_DMARC_REJECT (7.0)

and therefore quarantined.

Examples:

- booking.com
- Strato hosted domains
- Microsoft 365

SpamAssassin result:

DKIM_INVALID(0.1)
DKIM_SIGNED(0.1)
DMARC_REJECT(0.1)
KAM_DMARC_REJECT(7)
...

Running SpamAssassin in debug mode on the quarantined EML shows:

DKIM signature verification result: FAIL (BODY HAS BEEN ALTERED)

The strange part is:

- DNS resolution works.
- DKIM public keys can be resolved correctly.
- The same message is accepted as DKIM_VALID by the upstream provider (Netarix).

Example:

X-Spam-Status (Netarix):

DKIM_VALID
DKIM_VALID_AU
score=-1.5

PMG:

DKIM_INVALID
KAM_DMARC_REJECT=7

The DKIM public keys resolve correctly:

dig TXT strato-dkim-0002._domainkey.busways.de
dig TXT strato-dkim-0003._domainkey.busways.de

Both return valid keys.

Question:

Has anybody seen this with PMG 9 / SpamAssassin 4.0.2?

Is there a known issue with DKIM verification resulting in

"BODY HAS BEEN ALTERED"

although upstream verification succeeds?

I can provide the original EML if required.
 
on a hunch - please compare the maximal message size (in the Mail Proxy Options) with the Maximal Spam Detector size - if the second is lower the issue is that the mail is not being shown to spamassassin completely which explains the modified body ...
else please provide the complete logs to such a mail - and ensure that your DNS does work reliably and does not run into timeouts sometimes

I hope this helps!
 
Thank you. You were right that the Spam Detector size was configured to only 262144 bytes (256 KB), while the SMTP proxy accepts 50 MB messages. I have increased the Spam Detector size and will monitor whether this resolves the DKIM "BODY HAS BEEN ALTERED" errors. However, I still observe similar behaviour on some messages that are much smaller than 256 KB (e.g. 12 KB, 30 KB, 89 KB), so I'll continue collecting examples and report back.

Best regards
Jork
 
  • Like
Reactions: Stoiko Ivanov