DKIM Valid (Signed by DOMAIN.NAME) "Warning" Header 'Subject" is not signed

E-mails
1

I have purchased on OVH a domain name and as part of it also comes with
FREE website plan called "100 MB free hosting"
and
E-Mail address with 1 account "Zimbra Starter e-mail account" service plan called "STARTER"
including 15 GiB space.

[DOMAIN.NAME = change to your domain name to check]

# WWW
After activating, both the "100 MB free hosting" & "Zimbra Starter e-mail account"
I also activated "Secure delegation - DNSSEC" for the domain name purchased,
received e-mail from OVH with SFTP password link and other details.

"100 MB free hosting" also needed activating "SSL certificate" for naked and www subdomain
- DOMAIN.NAME | www.DOMAIN.NAME
and all works as it should.



[XXXXXXX = is a number before "jt.dkim.mail.ovh.net" in a CNAME record]

# E-Mail
For the "STARTER" - "Zimbra Starter e-mail account" I checked:

- and adjusted SPF - Sender Policy Framework
PERSONAL CHOICE:
[ 600 IN TXT "v=spf1 include:mx.ovh.com ~all"]
https://mxtoolbox.com/SuperTool.aspx?action=spf%3aDOMAIN.NAME#

spf:DOMAIN.NAME
spf:DOMAIN.NAME:all


- and added DMARC - Domain-based Message Authentication, Reporting, and Conformance
PERSONAL CHOICE:
[_dmarc IN TXT "v=DMARC1; p=reject; ruf=mailto:dmarc-ruf@DOMAIN.NAME; rua=mailto:dmarc-rua@DOMAIN.NAME; pct=100; adkim=s; aspf=s"]
https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3aDOMAIN.NAME#

dmarc:DOMAIN.NAME
dmarc:DOMAIN.NAME:all


I can see that "two" DKIM - DomainKeys Identified Mail records have also been created in DNS
- my two CNAME records
[ovhmo-selector-1._domainkey IN CNAME ovhmo-selector-1._domainkey.XXXXXXX.jt.dkim.mail.ovh.net.]

[ovhmo-selector-2._domainkey IN CNAME ovhmo-selector-2._domainkey.XXXXXXX.jt.dkim.mail.ovh.net.]
https://mxtoolbox.com/SuperTool.aspx?action=dkim%3aDOMAIN.NAME%3aovhmo-selector-1&run=toolpage#

SELECTOR1: ovhmo-selector-1
SELECTOR2: ovhmo-selector-2
DOMAIN: DOMAIN.NAME

dkim:DOMAIN.NAME:ovhmo-selector-1
dkim:DOMAIN.NAME:ovhmo-selector-2


# NSLOOKUP

-------------------------------------------------------
$ nslookup -q=txt ovhmo-selector-1._domainkey.DOMAIN.NAME
;; Truncated, retrying in TCP mode.
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
ovhmo-selector-1._domainkey.DOMAIN.NAME canonical name = ovhmo-selector-1._domainkey.XXXXXXX.jt.dkim.mail.ovh.net.
ovhmo-selector-1._domainkey.XXXXXXX.jt.dkim.mail.ovh.net text = "v=DKIM1; k=rsa; p=MIIBIjA....Tsymw/wvr2....2Wa0/cymg.....kcG" "b80s/8SYZO...FQxb5h+9mLPN....fEcJ+tm7D....Qffd+K0kb...DAQAB"


-------------------------------------------------------
$ nslookup -q=txt ovhmo-selector-2._domainkey.DOMAIN.NAME
;; Truncated, retrying in TCP mode.
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
ovhmo-selector-2._domainkey.DOMAIN.NAME canonical name = ovhmo-selector-2._domainkey.XXXXXXX.jt.dkim.mail.ovh.net.
ovhmo-selector-2._domainkey.XXXXXXX.jt.dkim.mail.ovh.net text = "v=DKIM1; k=rsa; p=MIIBIjA....Tsymw/wvr2....2Wa0/cymg.....kcG" "b80s/8SYZO...FQxb5h+9mLPN....fEcJ+tm7D....Qffd+K0kb...DAQAB"




E-Mails that I send via Zimbra www interface,
are showing on receiving client with a "Warning" in a DKIM Signature:


"Header 'Subject" is not signed"


Is there any way to correct this and
have both Body and Subject signed together?

2

AI to the rescue (or not):

https://duck.ai/chat?q=How+can+I+fix+warning+%22Header+%27Subject%22+is+not+signed%22+OVH+Starter

Detailed Steps to Resolve

  1. Log into OVH Control Panel: Access your OVH account and go to the Email Management section.

  2. Check DKIM Status:

    • Navigate to the “Web Cloud” section.
    • Click on “Emails” and select the domain in question.
    • Verify the DKIM status; it should be marked as active and there should ideally be two selectors configured.

  3. Configure DKIM Properly:

    • Ensure that all headers, including "Subject", are included in the DKIM signing process. This can often be reflected in the DKIM settings within your email software or server configuration.

Where would I find the "Email Management" menu?

3

This information is untrue. When AI doesn't know the answer, they answer in all cases, never telling that they don't know the answer.

You have no way to configure the OVH sending servers to include more header fields in the DKIM signature.

Example of a DKIM signature in some random non-OVH e-mail:
h=From:To:Subject:Date:List-Unsubscribe:List-Unsubscribe-Post:MIME-Version: Message-ID:Content-Type;

Example of a mail sent by OVH servers:
h=From;

In both cases the contents were also included with the clause: c=relaxed/relaxed

I have the feeling that OVH removed at least the subject line from the inclusion, in order not to break the signature if OVH adds [SPAM] in the subject.

4

Should "both" Subject/Body be signed? ;)

I have not found yet e-mail provider that only signed the body and not the both (Sub/Body) ...