OpenDKIM icon indicating copy to clipboard operation
OpenDKIM copied to clipboard

Published 20 hours ago verified publisher icon trusteddomainproject

ares_parse() fails on outlook.com/alum.mit.edu added header

Open mdomsch opened this issue 5 years ago • 8 comments
trafficstars

opendkim 2.11.0-Beta2 reports in maillog: failed to parse Authentication-Results: header field

I patched it to include the offending header content in the syslog to find it:

Authentication-Results: spf=pass (sender IP is 209.85.219.172)#012 smtp.mailfrom=example.org; alum.mit.edu; dkim=pass (signature was verified)#012 header.d=example.org;alum.mit.edu; dmarc=pass action=none#012 header.from=example.org;compauth=pass reason=100

This header is being added by MX alum-mit-edu.mail.protection.outlook.com which receives mail on behalf of the MIT alum.mit.edu email forwarding service, before forwarding on to the true destination address. At that true destination, opendkim reports its inability to parse this header.

When mail is sent directly from example.org to the true destination address (not going through the alum.mit.edu forwarder), the above header is not added, and opendkim works as expected.

mdomsch avatar May 16 '20 05:05 mdomsch

The mail is being received for alum.mit.edu by Office365, which adds the malformed AR header, and keeps it there when forwarded to its final destination.

mdomsch avatar Jun 08 '20 19:06 mdomsch

@mskucherawy and I will review.

martinbogo avatar Jun 17 '20 22:06 martinbogo

It fails because outlook.com/Office 365 is not including it's own host name as the first item in the header, as it should. I don't know why that is, but when I see the message delivered also into the outlook.com mailbox, it has the added AR header without the host name as the first item.

mdomsch avatar Jun 19 '20 03:06 mdomsch

https://github.com/jstedfast/MimeKit/issues/490 notes the same problem.

mdomsch avatar Jun 19 '20 03:06 mdomsch

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/email-validation-and-authentication?view=o365-worldwide describes their creation of the header. No authserv-id is ever shown.

mdomsch avatar Jun 19 '20 04:06 mdomsch

This looks like a duplicate of #48.

mikenor avatar Mar 19 '21 20:03 mikenor

OpenDKIM header read failures with emails from Microsoft services has been a problem for me for a very long time,

I keep hoping to see a project update or at least a patch for the issue. But to be honest, I'm beginning to wonder if the project has been abandoned

kenfc avatar Aug 30 '21 13:08 kenfc

This happens with all o365 signed emails. They omit the ADMD on DKIM signatures. Arbitrary example :

Authentication-Results: compauth=<fail | pass | softpass | none> reason=

OpenDKIM only understands AR headers with the ADMD; in place. For DKIM the ADMR seems optional out in the world.

Authentication-Results: thefunkychecken.com; compauth=<fail | pass | softpass | none> reason=

Its a bit hard to follow, but it seems like the parser in opendkim-ar.c assumes there will always be an ADMD present

Google etc., accept the Authentication-Results from o365 without an error, as do o365 instances.

For DKIM at least, seems like the starting "something;" token(s) after the header name, should be optional.

maxfieb avatar Apr 08 '22 09:04 maxfieb