search

lieser / dkim_verifier

DKIM Verifier Extension for Mozilla Thunderbird
MIT License
213 stars 36 forks source link

DKIM Verifier may provide incorrect test result #389

Closed Oktonaut closed 1 year ago

Oktonaut commented 1 year ago

The Thunderbird add-on complains that the signature is invalid for messages sent by a PHP script via SMTP. However, the online test at https://www.appmaildev.com/en/dkim does not return any errors (DKIM result: pass)!

It would also be nice if you could display a somewhat more detailed test result, for example via a context menu.

lieser commented 1 year ago

You can enable more detailed error reasons in the advanced options. See https://github.com/lieser/dkim_verifier/wiki/Options#show-detailed-error-reasons.

But if it is really that the signature itself is invalid, the add-on will never be able to tell why. You would need to have the original and unmodified e-mail and compare them with the received one to see what changed.

Note that there are some e-mail providers know to have problems with this: https://github.com/lieser/dkim_verifier/wiki/FAQ#all-or-almost-all-e-mails-with-dkim-signature-are-failing-with-the-same-error

Oktonaut commented 1 year ago

I was able to reproduce the error. It seems to be due to non-encoded umlauts in the header for To or From. Here it returns "Invalid (signature wrong)".

If you check the same mail at appmaildev.com or mxtoolbox.com, however, this is not objected to and the check result is positive.

If the fields in the header are transferred in accordance with RFC, the result of the signature check is also valid.

Instead of invalid signature, it would be better to display valid with warning: "To/From incorrectly formatted"! After all, the signature should be correct, since it was calculated with the incorrect header, wasn't it?

P.S. I activated "Show detailed error reasons" and "lock after the SDID", but the view remains unchanged for me!?

lieser commented 1 year ago

This is a problem outside the scope of the addon:

The best solution would probably to change the script to send e-mails in an encoding that servers don't want to "fix".

Instead of invalid signature, it would be better to display valid with warning: "To/From incorrectly formatted"!

This is however not an information the add-on has or can easily get! Multiple headers are signed, and if only a single bit changes the signature is invalid. With no information provided what changed.

The only way to tell is to luckily guess what changed, revert it, and see if that fixes the signature. Doing this is however way out of scope for the add-on.

I activated "Show detailed error reasons" and "lock after the SDID", but the view remains unchanged for me!?

The Show detailed error reasons option will only show more information if the add-on can provide more. An example would be an ill-formatted signature. Normally the add-on would only say that the signature is ill-formed. With the option enabled it would go into more detail which part is ill-formed.

But like I said, verifying a signature with a changed input does not give you any more information than the signature being invalid for the given input.

Oktonaut commented 1 year ago

@lieser Thank you for your detailed reply. This of course makes it clear that the signature has really been invalidated and that the receiving server is responsible for this. Unfortunately, if the server does not transmit its own correction, the error cannot be displayed... It's a shame but it's not a mistake with this great add-on!

lieser commented 1 year ago

Sounds like your questions are answered now, so will close this. Feel free to reopen if there is till something unclear.

Like it already said, if you are in control of the sending the message, the best you can do is try to find a format that is accepted my all emails servers without it being changed.

For the receiving side, one can enable the reading of the Authenticated Results header. Most server that change e-mails do so at least after they themselves validated the DKIM signature.