Make outgoing DKIM-signing optional for certain routes/transports

[QuadrupleA]

I'm trying to set up Routes & Transports to relay any outgoing email to Microsoft domains through Amazon SES (@hotmail.com, @outlook.com, etc. - at least temporarily, until I can sort out the IP range blocking / insta-reject issues with MS). For the rest of mail, gmail.com, yahoo.com, mox is successfully delivering direct to the internet.

Unfortunately Amazon SES doesn't like getting DKIM-Signature headers, and rejects the relay. Is there a way to skip DKIM-signing of outgoing messages for certain routes or transports? Or a way to strip the DKIM-Signature header before relaying?

For reference my config is:

domains.conf:

Routes:
    -
        ToDomain:
            - hotmail.com
            - outlook.com
        Transport: SES

mox.conf:

# Set up an "SES" transport mechanism, to get around persnickety email hosts like Microsoft
Transports:
        SES:
                Submissions:
                        Host: email-smtp.us-west-2.amazonaws.com
                        Port: 465
                        Auth:
                                Username: AK...
                                Password: Am...
                                Mechanisms:
                                        - PLAIN

Lastly thanks for a great product! Much more powerful and sane than postfix + dovecot + (especially) rspamd. Really hoping nice self-contained statically-linked programs like this are the future, versus 500MB 10,000-file npm/docker/sharedlib-distro dependency nightmares.

[mjl-]

Unfortunately Amazon SES doesn't like getting DKIM-Signature headers, and rejects the relay. Is there a way to skip DKIM-signing of outgoing messages for certain routes or transports? Or a way to strip the DKIM-Signature header before relaying?

No, there currently isn't.

Perhaps you can get it working without changes to mox. I think SES doesn't like getting multiple DKIM-Signature headers. I think that can be solved by signing with only 1 DKIM key, the RSA one (ed25519 isn't supported by all mail servers).
Btw, another problem with SES is that it rewrites the Message-Id header. That invalidates the DKIM-Signature that mox adds, which covers the Message-Id header. That doesn't have to be a problem, mismatching signatures are ignored by receiving mail servers. But you would have to add a DKIM key to SES so it can add a new signature. Hopefully that can already get you sending messages via SES.

If that doesn't work, we could make changes to mox. But it feels a bit silly to do so to work around issues in AWS SES...

[QuadrupleA]

Thanks Mechiel! So yes, removing the ed25519 key did the trick actually (2025a in my setup), with just the single RSA DKIM-Signature SES allowed it through:

Domains:
  ...:
    DKIM:
      Selectors:
        ...
      Sign:
        #- 2025a
        - 2025b

Mox's signature did show as a fail in later Authentication-Results: headers, probably because of the Message-Id overwrite issue you mentioned, but at that point SES had attached its own DKIM signatures (I configured DNS for those also) so DKIM was still a pass overall.

Incidentally, I noticed the ed25519 key 2025a always showed as a fail in all the Authentication-Results: headers I saw for different recipients (Yahoo, Gmail), with the RSA 2025b passing. Not sure if EC is too bleeding-edge, or if it might be a bug in Mox's EC signatures?

Feel free to close - but would be good to put a note in the config documentation about single-RSA only for SES support. SES is the biggest email service on the biggest cloud provider, and a handy workaround for deliverability problems on certain domains, while letting the mox server build IP reputation for the other domains.