starred/mailpit

Fork 0

mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 00:35:51 +03:00

[GH-ISSUE #642] Amazon SES SMTP Relay error: error closing connection: 554 Transaction failed: Duplicate header 'DKIM-Signature'. #402

New issue

Closed

opened 2026-03-15 14:15:11 +03:00 by kerem · 8 comments

kerem commented

2026-03-15 14:15:11 +03:00

Owner

Originally created by @hossein on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/axllent/mailpit/issues/642

Hi. I have a system that sends emails using Amazon SES to our own mailpit server. The sending identity on SES is configured with successful DKIM configuration, and mailpit shows a Dkim-Signature header in the received email.

I have configured mailpit's SMTP Relay with SMTP credentials from Amazon SES. But when trying to release an email from mailpit UI to any address, the following error is displayed:

SMTP error: error closing connection: 554 Transaction failed: Duplicate header 'DKIM-Signature'.

Providing another verified SES identity to override-from in mailpit's smtp relay config doesn't help neither. Any ideas?

Originally created by @hossein on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/axllent/mailpit/issues/642 Hi. I have a system that sends emails using Amazon SES to our own mailpit server. The sending identity on SES is configured with successful DKIM configuration, and mailpit shows a `Dkim-Signature` header in the received email. I have configured mailpit's SMTP Relay with SMTP credentials from Amazon SES. But when trying to release an email from mailpit UI to any address, the following error is displayed: ``` SMTP error: error closing connection: 554 Transaction failed: Duplicate header 'DKIM-Signature'. ``` Providing another verified SES identity to `override-from` in mailpit's smtp relay config doesn't help neither. Any ideas?

kerem closed this issue

2026-03-15 14:15:16 +03:00

kerem commented

2026-03-15 14:15:22 +03:00

Author

Owner

@axllent commented on GitHub (Feb 12, 2026):

Hi there. So you're using SES to deliver mail to Mailpit, and then also relaying messages via SES? Can SES be configured not to add dkim signatures via the incoming route (delivering to Mailpit)?

@axllent commented on GitHub (Feb 12, 2026): Hi there. So you're using SES to deliver mail to Mailpit, and then also relaying messages via SES? Can SES be configured not to add dkim signatures via the incoming route (delivering to Mailpit)?

kerem commented

2026-03-15 14:15:27 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Feb 20, 2026):

This issue has been marked as stale because it has been open for 7 days with no activity.

@github-actions[bot] commented on GitHub (Feb 20, 2026): This issue has been marked as stale because it has been open for 7 days with no activity.

kerem commented

2026-03-15 14:15:32 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Feb 23, 2026):

This issue was closed because there has been no activity since being marked as stale.

@github-actions[bot] commented on GitHub (Feb 23, 2026): This issue was closed because there has been no activity since being marked as stale.

kerem commented

2026-03-15 14:15:37 +03:00

Author

Owner

@hossein commented on GitHub (Feb 26, 2026):

@axllent Thanks for your response and sorry for the delay; please re-open.

For some reason, disabling the DKIM signatures on SES's panel still adds them to the email for me (might be our complex identity setup with subdomains, etc).

However, I'm trying to understand what is going on here. If I check the raw headers there are already two DKIM-Signature headers (example below), which seems to be the expected behavior.

Does MailPit touch DKIM headers (or any other headers for that matter) while releasing/relaying? If no, can we somehow bypass any validation that is being done here to make it able to release the message regardless of any errors?

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=go525...; d=example.com;
	t=1772108695; i=@example.com;
	h=From:To:Reply-To:Subject:Message-ID:MIME-Version:Date:Content-Type:Content-Transfer-Encoding;
	bh=...
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ndjes....; d=amazonses.com; t=1772108695;
	h=From:To:Reply-To:Subject:Message-ID:MIME-Version:Date:Content-Type:Content-Transfer-Encoding:Feedback-ID;
	bh=...

@hossein commented on GitHub (Feb 26, 2026): @axllent Thanks for your response and sorry for the delay; please re-open. For some reason, disabling the DKIM signatures on SES's panel still adds them to the email for me (might be our complex identity setup with subdomains, etc). However, I'm trying to understand what is going on here. If I check the raw headers there are already two `DKIM-Signature` headers (example below), which seems to be the [expected](https://stackoverflow.com/questions/59910157/why-there-are-two-dkim-signatures-in-email) [behavior](https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim-manual.html). Does MailPit touch DKIM headers (or any other headers for that matter) while releasing/relaying? If no, can we somehow bypass any validation that is being done here to make it able to release the message regardless of any errors? ``` DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=go525...; d=example.com; t=1772108695; i=@example.com; h=From:To:Reply-To:Subject:Message-ID:MIME-Version:Date:Content-Type:Content-Transfer-Encoding; bh=... DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ndjes....; d=amazonses.com; t=1772108695; h=From:To:Reply-To:Subject:Message-ID:MIME-Version:Date:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=... ```

kerem commented

2026-03-15 14:15:43 +03:00

Author

Owner

@axllent commented on GitHub (Feb 27, 2026):

Does MailPit touch DKIM headers (or any other headers for that matter) while releasing/relaying?

No, Mailpit does not modify any headers - except for the message ID itself (see notes).

If no, can we somehow bypass any validation that is being done here to make it able to release the message regardless of any errors?

Mailpit does not validate any DKIM headers. The error you are getting (SMTP error: error closing connection: 554 Transaction failed: Duplicate header 'DKIM-Signature'.) is the response from the second SES SMTP server. 🤷 Mailpit is not rejecting it, the second SES server is.

@axllent commented on GitHub (Feb 27, 2026): > Does MailPit touch DKIM headers (or any other headers for that matter) while releasing/relaying? No, Mailpit does not modify any headers - except for the message ID itself ([see notes](https://mailpit.axllent.org/docs/configuration/smtp-relay/#notes)). > If no, can we somehow bypass any validation that is being done here to make it able to release the message regardless of any errors? Mailpit does not validate any DKIM headers. The error you are getting (`SMTP error: error closing connection: 554 Transaction failed: Duplicate header 'DKIM-Signature'.`) is the response from the second SES SMTP server. 🤷 Mailpit is not rejecting it, the second SES server is.

kerem commented

2026-03-15 14:15:48 +03:00

Author

Owner

@hossein commented on GitHub (Feb 27, 2026):

Ok, I was under the impression that the error is coming from the sending mechanism.

Can SES be configured not to add dkim signatures via the incoming route (delivering to Mailpit)?

For some reason, it's not easily possible to do it from our initial sending side (and even disabling SES's DKIM signing apparently still leaves one DKIM header there instead of two, but haven't tested if it causes the same issue).

Are there possible alternatives in the mailpit side, such as stripping the DKIM headers during relaying?

@hossein commented on GitHub (Feb 27, 2026): Ok, I was under the impression that the error is coming from the sending mechanism. > Can SES be configured not to add dkim signatures via the incoming route (delivering to Mailpit)? For some reason, it's not easily possible to do it from our initial sending side (and even disabling SES's DKIM signing apparently still leaves one DKIM header there instead of two, but haven't tested if it causes the same issue). Are there possible alternatives in the mailpit side, such as stripping the DKIM headers during relaying?

kerem commented

2026-03-15 14:15:53 +03:00

Author

Owner

@axllent commented on GitHub (Mar 1, 2026):

There isn't currently any option in Mailpit to remove headers, but to be honest, this issue doesn't really sound like a problem that needs to be solved by Mailpit either. If you're getting one set of DKIM headers now, then it means one of the SMTP servers still has that configured.

@axllent commented on GitHub (Mar 1, 2026): There isn't currently any option in Mailpit to remove headers, but to be honest, this issue doesn't really sound like a problem that needs to be solved by Mailpit either. If you're getting one set of DKIM headers now, then it means one of the SMTP servers still has that configured.

kerem commented

2026-03-15 14:15:58 +03:00

Author

Owner

@hossein commented on GitHub (Mar 1, 2026):

Thanks for the insights. Here is a summary; I'll report what worked.

Have SES totally disable DKIM signing, in either direction (initial SES -> mailpit, or mailpit relay -> SES);
Use a 'plain' SMTP server instead of SES in one of the directions;
Try to strip the DKIM header in mailpit, but currently mailpit doesn't do this and it's not in its scope.

@hossein commented on GitHub (Mar 1, 2026): Thanks for the insights. Here is a summary; I'll report what worked. 1. Have SES totally disable DKIM signing, in either direction (initial SES -> mailpit, or mailpit relay -> SES); 2. Use a 'plain' SMTP server instead of SES in one of the directions; 3. Try to strip the DKIM header in mailpit, but currently mailpit doesn't do this and it's not in its scope.