emersion
commented
2 years ago https://github.com/emersion/go-msgauth/search?q=Return-Path
Not sure where your issue comes from, but it's not from go-msgauth. I'd suggest opening a downstream issue.
Closed itrack closed 2 years ago
emersion
commented
2 years ago https://github.com/emersion/go-msgauth/search?q=Return-Path
Not sure where your issue comes from, but it's not from go-msgauth. I'd suggest opening a downstream issue.
itrack
commented
2 years ago Yes, it is not, but the return path is part of an email header, it should be ignored and not signed by dkim.Sign.
Now the signature looks like this: DKIM-Signature: a=rsa-sha256; bh=[ ]; c=relaxed/relaxed; d=domain.com; h=Content-Type:X-Complaints-To:Campaign-Id:List-Unsubscribe:Signedby:Return-Path:Sender:Precedence:Message-Id:Feedback-Id:Subject:Message-Id:To:From:Date:Mime-Version; s=default; t=1641899925; v=1; b=[ *]
emersion
commented
2 years ago The library users tells go-msgauth which fields should be signed. They are responsible for not signing fields which shouldn't be.
itrack
commented
2 years ago I apologize, I was wrong thinking that the library follows the protocol rules 😄
emersion
commented
2 years ago The RFC indicates this requirement as a "SHOULD". Hence, the library won't forbid library users from doing the wrong thing here.
If it was a "MUST", I';d be fine with returning an error if the caller does the wrong thing. That's not the case here.
itrack
commented
2 years ago Yes, but SpamAssassin sees the signature as invalid if it contains Return-Path
itrack
commented
2 years ago SpamAssassin Score: -4.8 Message is NOT marked as spam Points breakdown: -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [91.247.179.194 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
According to rfc6376:
This makes the dkim invalid