Closed itrack closed 2 years ago
https://github.com/emersion/go-msgauth/search?q=Return-Path
Not sure where your issue comes from, but it's not from go-msgauth. I'd suggest opening a downstream issue.
Yes, it is not, but the return path is part of an email header, it should be ignored and not signed by dkim.Sign.
Now the signature looks like this: DKIM-Signature: a=rsa-sha256; bh=[ ]; c=relaxed/relaxed; d=domain.com; h=Content-Type:X-Complaints-To:Campaign-Id:List-Unsubscribe:Signedby:Return-Path:Sender:Precedence:Message-Id:Feedback-Id:Subject:Message-Id:To:From:Date:Mime-Version; s=default; t=1641899925; v=1; b=[ *]
The library users tells go-msgauth which fields should be signed. They are responsible for not signing fields which shouldn't be.
I apologize, I was wrong thinking that the library follows the protocol rules 😄
The RFC indicates this requirement as a "SHOULD". Hence, the library won't forbid library users from doing the wrong thing here.
If it was a "MUST", I';d be fine with returning an error if the caller does the wrong thing. That's not the case here.
Yes, but SpamAssassin sees the signature as invalid if it contains Return-Path
SpamAssassin Score: -4.8 Message is NOT marked as spam Points breakdown: -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [91.247.179.194 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
According to rfc6376:
This makes the dkim invalid