DMARC and DKIM alignment with multiple DKIM signatures

If an email contains multiple DKIM signatures as it's forwarded, how does DMARC process the DKIM alignment check?

Does ANY passing DKIM signature d= parameter have to match Header From?

or

Does the first (or last) DKIM signature d= parameter have to match Header From?

or

Does the single DKIM as indicated in the "Authentication-Results" have to pass (which may always be the last?)?

This is NOT a question of relaxed vs. strict.

Thank you!


Solution 1:

According to DMARC specification: https://www.rfc-editor.org/rfc/rfc7489

Note that a single email can contain multiple DKIM signatures, and it is considered to be a DMARC "pass" if any DKIM signature is aligned and verifies.

Solution 2:

If there are multiple DKIM signatures, only one of them must align for DKIM alignment to be valid according to https://mxtoolbox.com/problem/dkim/dkim-signature-alignment