outlook.com and hotmail.com Invalid (E-Mail was modified)

[ilioNaglo]

within the past week, all incoming emails going to my hotmail and outlook accounts come up as invalid. checked older emails that did verify in the past and all of them now show same invalid error. i tried "Reverify DKIM Signature" and "Update DKIM Key" without success.

hovering over sender name pops up "DKIM: Invalid (E-Mail was modified)"

emails to my google accounts, past and current, show as valid as expected.

i did change some of the plugins settings but no change in outcome.

[lieser]

Thanks for reporting this. Unfortunately the error is probably correct, and hotmail/outlook made recently a change that result in them changing the body of emails more aggressively than before (and for already received emails).

Do the emails received by hotmail/outlook contain an Authentication-Results header? Then a workaround would be to enable the reading of the header in the options https://github.com/lieser/dkim_verifier/wiki/Options#read-authentication-results-header.

If you are interested to see how the emails are changed: The easiest way is to send a single email with the recipient being both your hotmail/outlook emails and your google account. Then you can save both received emails in Thunderbird as .eml files, and compare them.

Regarding Update DKIM Key: If you have enabled the caching of DKIM keys, this can help if verifying the actual signature fails ( Signature is wrong error), if a sender unfortunately decides to change an existing key instead of simply creating a new one. The error E-Mail was modified means that the body of the email does not match with the hash given in the DKIM-Signature header. Meaning the verification already fails before the DKIM key is used to verify the actual signature.

[real-yfprojects]

I am not sure whether this relates to this issue but the outlook exchange server will modify incoming mails by changing links included in them into 'safe' urls that link to microsoft and redirect to the original site.

[lieser]

Changing links in the body of the mail would definitely invalided the DKIM signature (with the E-Mail was modified error being shown).

Do you know if this is a recently added feature to outlook and hotmail?

[real-yfprojects]

Do you know if this is a recently added feature to outlook and hotmail?

This feature exists for years. But I think it is only available for Premium users.

[lieser]

I hope all questions are answered for now, so closing this issue.

[D0LLYNH0]

Do the emails received by hotmail/outlook contain an Authentication-Results header? Then a workaround would be to enable the reading of the header in the options https://github.com/lieser/dkim_verifier/wiki/Options#read-authentication-results-header.

Authentication-Results header exists, but results are not displayed. Am I missing something? A sample header:

Authentication-Results: spf=pass (sender IP is 161.38.206.214)
 smtp.mailfrom=n.glyph.net; dkim=pass (signature was verified)
 header.d=n.glyph.net;dmarc=pass action=none
 header.from=n.glyph.net;compauth=pass reason=100

[lieser]

@D0LLYNH0 The Authentication-Results header (ARH) you posted has multiple issues. Note that most errors reading the ARH are ignored, but you can see them in the Error Console.

1. Missing authserv-id (https://www.rfc-editor.org/rfc/rfc8601.html#section-2.5), e.g. outlook.com; at the very beginning.
2. In the included DMARC result the action=none is invalid. ARH allows to include arbitrary properties, but they must be in the form of <ptype>.<property>, e.g. dmarc.action=none or in this case properly better policy.dmarc as this is a registered property for dmarc (https://www.iana.org/assignments/email-auth/email-auth.xhtml#email-auth-methods)

If all ARHs added by Outlook have this issue it explains the behavior you observe. If that is the case please open a separate issue to track this. If this is an ongoing issue of outlook.com I would be open to consider allowing at least (2) in the advanced relaxed parsing mode. But I think we should try to get outlook.com to fix at least (1), as the authserv-id is a very important part of the ARH.

[D0LLYNH0]

@lieser, got it, thanks for the details.

If all ARHs added by Outlook have this issue have this issues it explains the behavior you observe. If that is the case please open a separate issue to track this.

This behavior is seen in all my emails, I have emails saved from 2016, since then, they all have the same behavior (as is to be expected, outlook.com also makes changes to emails already received), all have the same pattern.

[monperrus]

I notice that most of the outlook emails are DKIM invalid (modified email).

The easiest way is to send a single email with the recipient being both your hotmail/outlook emails and your google account

Did that with a simple HTML email, but DKIM is correct on both sides.

Which feature in the email triggers the modification by the Outlook servers?

thanks!

[monperrus]

Got the answer.

Plain-text email are not modified (Content-Type: text/plain; charset=UTF-8; format=flowed)

HTML mails are modified by the outlook servers, breaking the signature. Here is the diff

< This is a multi-part message in MIME format.
120,124c184,185
< <!DOCTYPE html>
< <html>
<   <head>
< 
<     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
---
> <!DOCTYPE html><html><head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
127,129c188
<     here is a link <a
<       href="https://github.com/lieser/dkim_verifier/issues/300"
<       class="moz-txt-link-freetext">https://github.com/lieser/dkim_verifier/issues/300</a><br>
---
>     here is a link <a href="https://github.com/lieser/dkim_verifier/issues/300" class="moz-txt-link-freetext">https://github.com/lieser/dkim_verifier/issues/300</a><br>

How to report the bug to Microsoft?

[lieser]

How to report the bug to Microsoft?

Good question I would love to know the answer for.

Note that last week I reported the issue about Outlook writing invalid Authentication-Results headers to Micosoft: https://answers.microsoft.com/en-us/outlook_com/forum/all/authentication-results-header-written-by-outlook/890b304c-3c81-48b6-b065-36fad3b551e4

No idea if that is the best location to reach someone at Microsoft who could influence Outlook changing it's behavior. Lets wait and see.

You could write on the same site about Outlook modifying e-mails. Would not hurt letting them now that their behavior is causing problems for at least some of their customers (even if probably a very small percentage). But I would be (positively) surprised if Outlook would actually stop modifying e-mails anytime soon.

[lieser]

Microsoft support is asking some in my opinion unrelated questions, but would still be nice to be able to answer them. Could some of you who are affected please give me an answer?

The question are:

1. [...] May we know if you are using your email for personal use or business purposes? Also, if this is a personal email, please share to us your email domain.

I think for personal email they want to know if it is e.g. an @hotmail.com or @outlook.com e-mail.

2. Since you are using Thunderbird mailing application, can we confirm if your email is set up as IMAP and POP3?

I don't see how that should matter, but would still like to be able to give an answer.

3. Who is hosting your email domain?

Unsure what they want here. If someone has a better answer than Microsoft or a repetition of the email domain let me know.

4. If you were to open the email from @hotmail.com or @outlook.com, on your webmail will issue persists?

Again don't see how that is relevant. But if the Web interface provides a way to view the email headers, would be nice not confirm that they have the same issue I described above (best post an example here).

[monperrus]

Tried with my work email which is based on Microsoft Exchange.

I confirm that the bug is also present, the email is modified and the DKIM integrity is broken.

[monperrus]

FTR posted on techcommunity.microsoft.com https://techcommunity.microsoft.com/t5/microsoft-365/dkim-verification-broken-on-outlook-365-exchange-because-of/m-p/4064180#M51766

[real-yfprojects]

I use @outlook.com and IMAP. Header information from outlook.live.com:

Authentication-Results: spf=pass (sender IP is 212.227.15.19)

 smtp.mailfrom=gmx.de; dkim=pass (signature was verified)

 header.d=gmx.de;dmarc=pass action=none header.from=gmx.de;compauth=pass

 reason=100