lieser
commented
5 years ago So I suspect that either postfix or exchange modifies the signed parts somehow.
Yes, exchange is already known to me to do this. See https://github.com/lieser/dkim_verifier/wiki/FAQ#all-or-almost-all-e-mails-with-dkim-signature-are-failing-with-the-same-error for a list of known provider/server who changes the email content.
I don't think this is a bug in DKIM verifier, but it could be possibly adapted to verify such emails as well.
I already tried this ones. But I soon came to the conclusion that this is in my opinion not really a feasible solution. To many possible changes. And because of the nature of DKIM, the add-on would have to guess them and use try and error to find the content of the original email.
There still exist a hidden option from my tries that worked for at least some of the modified emails: extensions.dkim_verifier.error.contentTypeCharsetAddedQuotes.treatAs.
See https://github.com/lieser/dkim_verifier/issues/70#issuecomment-223917789 for more on this topic.
If your server writes the "Authentication-Results", I would recommend enabling the reading of this header in the add-on.
monperrus
running postfix 2.10.1 on centos 7 with transport to MS Exchange 2016 connecting to MS Exchange 2016 via SMTPS with Thunderbird 60.2.1 (64bit) and DKIMVerifyer 2.0.0
It seems that certain DKIM signed mails get modified somehow when sent to our company exchange server and others not. For example mails sent with accounts at gmail.com get verified.
I've tested this behaviour asking persons to write to my gmail address and to my company exchange address, where the one sent to gmail was correctly validated via DKIM verifier and that sent to exchange not, showing the message "DKIM: invalid (email was modified)".
So I suspect that either postfix or exchange modifies the signed parts somehow.
I don't think this is a bug in DKIM verifier, but it could be possibly adapted to verify such emails as well.