AWS SES relay host and Duplicate header 'DKIM-Signature'

[rajil]

Hello,

I setup AWS as a relay host. My emails unfortunately going through and i get an error,

Diagnostic-Code: smtp;554 Transaction failed: Duplicate header 'DKIM-Signature'.

How can i fix this?

[rajil]

This is how the Routing is setup,

[andreymal]

It's better to send a bug report to AWS

[rajil]

I can see two DKIM headers in the email. Is that Stalwart which is added those or AWS?

[rajil]

Sounds like Stalwart issue reading this, https://serverfault.com/questions/579879/how-to-avoid-554-error-duplicate-header

[andreymal]

Regardless of AWS SES bugs, I see in the documentation that it provides different options for DKIM signing. Which option do you use?

If I understand correctly, the first three options mean that AWS SES adds its own DKIM signatures, which probably means you may need to disable DKIM signing completely in Stalwart:

auth.dkim.sign = false
report.dkim.sign = false
report.dsn.sign = false
report.dmarc.sign = false
report.dmarc.aggregate.sign = false
report.spf.sign = false
report.tls.aggregate.sign = false
sieve.trusted.sign = false

[rajil]

I am using the default settings and only setup a relay host.

[mdecimus]

That specific error 554 Transaction failed: Duplicate header 'DKIM-Signature' isn’t coming from Stalwart itself, but from AWS. They’re rejecting the message because it contains more than one DKIM-Signature header.

It’s important to point out that this behavior is actually non-standard. None of the relevant email RFCs require there to be only a single DKIM signature. In fact, having multiple signatures is a perfectly valid and widely used practice. One common reason for this is the need to sign a message using both Ed25519 and RSA. Ed25519 provides stronger security and better performance, while RSA is still necessary for compatibility with systems that don’t yet support Ed25519. In such cases, the presence of two signatures is not only valid but also the correct and more secure approach.

If you need a quick workaround, you can configure Stalwart to sign messages with only RSA by removing the Ed25519 signature. That will satisfy AWS’s restriction, although it means sacrificing some of the security benefits. My recommendation, however, is to consider switching to a relay host that fully adheres to the standards and does not impose arbitrary limitations like this. Rejecting messages simply because they contain multiple valid DKIM signatures is not compliant with the specifications and ultimately makes email both less secure and less interoperable.

[rajil]

Do I need to modify this screen?

Change ['rsa-' + sender_domain, 'ed25519-' + sender_domain]

AWS SES seemed like cheap host, which relay do you recommend?