This issue also reproduces when sending to, e.g., google. To test that, start a test (or create a long to yourself), but this time before sending the test message, add a gmail address to the To: as well. You will see that the mail is not validated by Gmail anymore.
Suggested solution
Switch to relaxed/relaxed canonicalization for DKIM signing.
This is the error as an example when sending to a lots of recipients
NOTE: I was testing my mail server with a tool ichdasich helped develop, and found this error... which ichdasich graciously filed as a bug far better than i could.
This issue comes from mail-in-a-box upstream, see https://github.com/mail-in-a-box/mailinabox/issues/2239.
Copy-Paste summary of the issue:
Currently, mail in a box configures opendkim to use
relaxed/simple
canonicalization (ll34 https://github.com/mail-in-a-box/mailinabox/blob/main/setup/dkim.sh ). This can lead to verification issues with longTo:
headers; Specifically, whitespaces/\r\n/\n get injected, which let verification fail, see https://www.rfc-editor.org/rfc/rfc6376#section-3.4 and https://www.rfc-editor.org/rfc/rfc6376#section-3.5.(I am currently a bit unsure why this is an issue for
relaxed/simple
being used; Technically this should be asimple/(relaxed|simple)
issue).This does only cause issues for very long To: headers.
Reproducing the issue
To test this:
sent-messages % cat 1.mbox | dkimverify
->signature verification failed
sent-messages % cat 1.mbox | dkimverify
->signature ok
This issue also reproduces when sending to, e.g., google. To test that, start a test (or create a long to yourself), but this time before sending the test message, add a gmail address to the
To:
as well. You will see that the mail is not validated by Gmail anymore.Suggested solution
Switch to relaxed/relaxed canonicalization for DKIM signing.