Sender colored as “unsigned email” for a signed email if DNS lookup failed

[progval]

When I receive a signed email to myself with a DKIM signature, the sender is sometimes colored as if the email was not signed.

The debug output is:

2016-07-27 10:52:07     DKIM_Verifier.JSDNS     CONFIG  changed DNS Servers to : [{server:"8.8.8.8", alive:true}]

2016-07-27 10:52:07     DKIM_Verifier.JSDNS     CONFIG  Got servers from resolv.conf: [{server:"192.168.1.1", alive:true}]

2016-07-27 10:52:07     DKIM_Verifier.JSDNS     CONFIG  changed DNS Servers to : [{server:"192.168.1.1", alive:true}, {server:"8.8.8.8", alive:true}]

2016-07-27 10:52:07     DKIM_Verifier.JSDNS     INFO    Resolving _dmarc.progval.net TXT by querying 192.168.1.1

2016-07-27 10:52:08     DKIM_Verifier.JSDNS     DEBUG   Resolving _dmarc.progval.net/TXT: DNS server 192.168.1.1 refused a TCP connection.

2016-07-27 10:52:08     DKIM_Verifier.JSDNS     INFO    Resolving _dmarc.progval.net TXT by querying 8.8.8.8

2016-07-27 10:52:08     DKIM_Verifier.JSDNS     DEBUG   _dmarc.progval.net/TXT: Answer: v=DMARC1; p=none

2016-07-27 10:52:08     DKIM_Verifier.DNSWrapper        DEBUG   result: ({data:["v=DMARC1; p=none"], rcode:0, secure:false, bogus:false})

2016-07-27 10:52:08     DKIM_Verifier.DMARC     DEBUG   DMARCPolicy: ({adkim:"r", pct:100, p:"none", domain:"progval.net", source:"progval.net"})

2016-07-27 10:52:08     DKIM_Verifier.Policy    DEBUG   shouldBeSigned: true; sdid: progval.net; hideFail: false; foundRule: false

2016-07-27 10:52:08     DKIM_Verifier.Verifier  DEBUG   1 DKIM-Signatures found.

2016-07-27 10:52:08     DKIM_Verifier.Verifier  DEBUG   Verifying DKIM-Signature 1 ...

2016-07-27 10:52:08     DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Signature 1: ({original_header:"DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=progval.net; s=mail;\r\n\tt=1469609198; bh=2USFFdTVwUR+DjlKNuY6dl17V3x+bI9dKvohrzUlgq0=;\r\n\th=To:From:Subject:Date:From;\r\n\tb=jyWeRxVjZqcKLjtrf00ibreYnSQBhtolrPQ1iBP5CPAvIW5f+TheNEykHEEeYZ+jP\r\n\t 1cG4t9dcVZx2OI5h+/pG1koMarb/t4SQ9oPilLwa0jnvDESYgYf4Ae4C/UR46DEV84\r\n\t Abjw2ldJy1sq1RV3Hyp3ni556ttdOAddh1ufeT/U=\r\n", warnings:[], v:"1", a_sig:"rsa", a_hash:"sha256", b:"jyWeRxVjZqcKLjtrf00ibreYnSQBhtolrPQ1iBP5CPAvIW5f+TheNEykHEEeYZ+jP1cG4t9dcVZx2OI5h+/pG1koMarb/t4SQ9oPilLwa0jnvDESYgYf4Ae4C/UR46DEV84Abjw2ldJy1sq1RV3Hyp3ni556ttdOAddh1ufeT/U=", b_folded:"jyWeRxVjZqcKLjtrf00ibreYnSQBhtolrPQ1iBP5CPAvIW5f+TheNEykHEEeYZ+jP\r\n\t 1cG4t9dcVZx2OI5h+/pG1koMarb/t4SQ9oPilLwa0jnvDESYgYf4Ae4C/UR46DEV84\r\n\t Abjw2ldJy1sq1RV3Hyp3ni556ttdOAddh1ufeT/U=", bh:"2USFFdTVwUR+DjlKNuY6dl17V3x+bI9dKvohrzUlgq0=", c_header:"simple", c_body:"simple", d:"progval.net", h:"To:From:Subject:Date:From", h_array:["to", "from", "subject", "date", "from"], i:"@progval.net", i_domain:"progval.net", l:null, q:"dns/txt", s:"mail", t:1469609198, x:null, z:null})

2016-07-27 10:52:08     DKIM_Verifier.Verifier  DEBUG   computed body hash: 2USFFdTVwUR+DjlKNuY6dl17V3x+bI9dKvohrzUlgq0=

2016-07-27 10:52:08     DKIM_Verifier.JSDNS     INFO    Resolving mail._domainkey.progval.net TXT by querying 8.8.8.8

2016-07-27 10:52:13     DKIM_Verifier.JSDNS     DEBUG   mail._domainkey.progval.net/TXT: No answer, no authority to recurse on.  DNS lookup failed.

2016-07-27 10:52:13     DKIM_Verifier.DNSWrapper        DEBUG   result: ({data:null, rcode:0, secure:false, bogus:false})

2016-07-27 10:52:13     DKIM_Verifier.Verifier  WARN    DKIM_SIGERROR_NOKEY: DKIM Signature Error: No DKIM key found in DNS server (resource://dkim_verifier/helper.jsm:1:27) JS Stack trace: getKeyFromDNS/promise<@dkimKey.jsm:318:1

2016-07-27 10:52:13     DKIM_Verifier.Verifier  DEBUG   Exception on DKIM-Signature 1

I believe the color should at least indicate “Temporary error”.

[lieser]

The DNS lookup is probably failing because of a server error. But the default DNS resolver currently does not consider the reason why an answer does not contain a result. Because of this, the server error is incorrectly treated as if the DKIM key does not exist, which is a permanent error.

I will probably add this differentiation in the next release. Until then, you could try on of the following workarounds:

• enable the caching of the DKIM keys to reduce the number of DNS lookups
• change the DNS resolver to libunbound

[progval]

I switched to libunbound. The sender email is still of the “unsigned mail” color, but the console output changed to:

2016-07-27 17:59:49     DKIM_Verifier.libunbound        DEBUG   libunboundWorker: data: v=DMARC1; p=none

2016-07-27 17:59:49     DKIM_Verifier.libunbound        DEBUG   libunboundWorker: qname: _dmarc.progval.net, qtype: 16, rcode: 0, secure: false, bogus: false, why_bogus: undefined

2016-07-27 17:59:49     DKIM_Verifier.DNSWrapper        DEBUG   result: ({data:["v=DMARC1; p=none"], rcode:0, secure:false, bogus:false})

2016-07-27 17:59:49     DKIM_Verifier.DMARC     DEBUG   DMARCPolicy: ({adkim:"r", pct:100, p:"none", domain:"progval.net", source:"progval.net"})

2016-07-27 17:59:49     DKIM_Verifier.Policy    DEBUG   shouldBeSigned: true; sdid: progval.net; hideFail: false; foundRule: false

2016-07-27 17:59:49     DKIM_Verifier.Verifier  DEBUG   1 DKIM-Signatures found.

2016-07-27 17:59:49     DKIM_Verifier.Verifier  DEBUG   Verifying DKIM-Signature 1 ...

2016-07-27 17:59:49     DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Signature 1: ({original_header:"DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=progval.net; s=mail;\r\n\tt=1469609153; bh=iAyn0DGaYTuOWJ9YlAhxbwijRNyYrMjnX4buVaXGLxE=;\r\n\th=Subject:To:References:From:Date:In-Reply-To:From;\r\n\tb=hVbiz75T2KRw/z1e6lKMgDh7bxRVXOhuFukhitY7TlybXiTk/JRUUjYfPbnW2l2q5\r\n\t IK9fUR+svhJPGfTEREVeVU/J/7tnb8KPnbNf71SNaVFafaGSvLeNQ0b7pfCNTmKhDv\r\n\t jlx1Dzh52BvhkbVEpN4mEbOz34lJHjdWpKo6P4qU=\r\n", warnings:[], v:"1", a_sig:"rsa", a_hash:"sha256", b:"hVbiz75T2KRw/z1e6lKMgDh7bxRVXOhuFukhitY7TlybXiTk/JRUUjYfPbnW2l2q5IK9fUR+svhJPGfTEREVeVU/J/7tnb8KPnbNf71SNaVFafaGSvLeNQ0b7pfCNTmKhDvjlx1Dzh52BvhkbVEpN4mEbOz34lJHjdWpKo6P4qU=", b_folded:"hVbiz75T2KRw/z1e6lKMgDh7bxRVXOhuFukhitY7TlybXiTk/JRUUjYfPbnW2l2q5\r\n\t IK9fUR+svhJPGfTEREVeVU/J/7tnb8KPnbNf71SNaVFafaGSvLeNQ0b7pfCNTmKhDv\r\n\t jlx1Dzh52BvhkbVEpN4mEbOz34lJHjdWpKo6P4qU=", bh:"iAyn0DGaYTuOWJ9YlAhxbwijRNyYrMjnX4buVaXGLxE=", c_header:"simple", c_body:"simple", d:"progval.net", h:"Subject:To:References:From:Date:In-Reply-To:From", h_array:["subject", "to", "references", "from", "date", "in-reply-to", "from"], i:"@progval.net", i_domain:"progval.net", l:null, q:"dns/txt", s:"mail", t:1469609153, x:null, z:null})

2016-07-27 17:59:49     DKIM_Verifier.Verifier  DEBUG   computed body hash: iAyn0DGaYTuOWJ9YlAhxbwijRNyYrMjnX4buVaXGLxE=

2016-07-27 17:59:49     DKIM_Verifier.libunbound        DEBUG   libunboundWorker: data: v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCzsnKTj5jTLsOxR50gn71y1B0yKFuS0jHkdbeMYLF4ZbJgVjvAyv6XQi5H1qpZdgl4EgIb5E8svKKqi+f5VwXX/VtB14nCcEpB0rTBlYSQaExyBkFOCxRRw4LAaAbVS4XE1c1jKksNj75eZnJFpfnB9y1N0KsMCDCuXPxcmL/qQIDAQAB

2016-07-27 17:59:49     DKIM_Verifier.libunbound        DEBUG   libunboundWorker: qname: mail._domainkey.progval.net, qtype: 16, rcode: 0, secure: false, bogus: false, why_bogus: undefined

2016-07-27 17:59:49     DKIM_Verifier.DNSWrapper        DEBUG   result: ({data:["v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCzsnKTj5jTLsOxR50gn71y1B0yKFuS0jHkdbeMYLF4ZbJgVjvAyv6XQi5H1qpZdgl4EgIb5E8svKKqi+f5VwXX/VtB14nCcEpB0rTBlYSQaExyBkFOCxRRw4LAaAbVS4XE1c1jKksNj75eZnJFpfnB9y1N0KsMCDCuXPxcmL/qQIDAQAB"], rcode:0, secure:false, bogus:false})

2016-07-27 17:59:49     DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Key: ({v:"DKIM1", h:null, h_array:null, k:"rsa", n:null, p:"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCzsnKTj5jTLsOxR50gn71y1B0yKFuS0jHkdbeMYLF4ZbJgVjvAyv6XQi5H1qpZdgl4EgIb5E8svKKqi+f5VwXX/VtB14nCcEpB0rTBlYSQaExyBkFOCxRRw4LAaAbVS4XE1c1jKksNj75eZnJFpfnB9y1N0KsMCDCuXPxcmL/qQIDAQAB", s:"*", t:"y", t_array:["y"]})

2016-07-27 17:59:49     DKIM_Verifier.Verifier  WARN    DKIM_SIGERROR_KEY_TESTMODE: DKIM Signature Error: The signing domain is only testing DKIM (resource://dkim_verifier/helper.jsm:1:27) JS Stack trace: verifySignature@dkimVerifier.jsm:1047:1

2016-07-27 17:59:49     DKIM_Verifier.Verifier  DEBUG   Exception on DKIM-Signature 1

[lieser]

Ok, by bad, misread you original post. The issue I talked about in my response should be unrelated to your problem (will split it into a different issue).

Note that temporary errors are by default colored in the same way as unsigned e-mails. But as both errors shown in the debug output (DKIM_SIGERROR_NOKEY and DKIM_SIGERROR_KEY_TESTMODE) are handled as permanent errors, and are therefore colored as an invalid signature, they should still be highlighted (by default in a red color).

Does the coloring work for a valid signature?

[progval]

that temporary errors are by default colored in the same way as unsigned e-mails.

I changed the default

Does the coloring work for a valid signature?

It works for some of them.

[lieser]

Does the coloring work for a valid signature?

It works for some of them.

Meaning it does not work for all? In that case, can you see a pattern for which e-mails it works and for which it doesn't?

Do you have over add-ons installed which change the looks of the e-mail header?

If it is not already, can you please set the Thunderbird preference javascript.options.showInConsole to true, and post the errors shown in the error console?

[progval]

Meaning it does not work for all?

Yes.

In that case, can you see a pattern for which e-mails it works and for which it doesn't?

I don't know what kind of pattern to look for, I don't know much about how DKIM works.

Do you have over add-ons installed which change the looks of the e-mail header?

Enigmail (but I only tried with unsigned and plaintext mails), “Display Mail User Agent”, and Iceowl.

If it is not already, can you please set the Thunderbird preference javascript.options.showInConsole to true,

It's already to true (the default).

and post the errors shown in the error console?

Are you interested in errors in chrome://messenger/content/folderPane.js. That's all I can find in the error console that is not present in the logs above.

[progval]

If you want, I can send you an email that is not validated.

[lieser]

Are you interested in errors in chrome://messenger/content/folderPane.js. That's all I can find in the error console that is not present in the logs above.

If they appear directly after the verification, then yes.

If you want, I can send you an email that is not validated.

If an e-mail is always affected by the problem, then yes (to lieser+dkim@posteo.net).

[progval]

If they appear directly after the verification, then yes.

Actually, they appear just before.

First there is this one, eight times:

Timestamp: 07/27/16 21:05:20
Error: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgFolder.getStringProperty]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://messenger/content/folderPane.js :: getSmartFolderName :: line 2780"  data: no]
Source File: chrome://messenger/content/folderPane.js
Line: 2782

Then this one, twice:

Timestamp: 07/27/16 21:06:28
Error: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIMsgFolder.getStringProperty]"  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: chrome://messenger/content/folderPane.js :: getSmartFolderName :: line 2780"  data: no]
Source File: chrome://messenger/content/folderPane.js
Line: 2782

Then the first one, eight times.

Then the second one, twice.

Then the first one, twice.

[lieser]

As far as I can see, the errors are unrelated.

I could not reproduce the problem with the e-mail you send me. Could you please send me an affected e-mail as a saved .eml file? This ensures that I try it with the exact same e-mail, instead with just a similar one.

Have you already tried if you can reproduce the problem with a clean profile?

[progval]

I could not reproduce the problem with the e-mail you send me. Could you please send me an affected e-mail as a saved .eml file? This ensures that I try it with the exact same e-mail, instead with just a similar one.

Actually, none mails I send to myself (or a different address I own) are validated. So I don't think that would be relevant. I'll send you a .eml anyway.

Have you already tried if you can reproduce the problem with a clean profile?

I did just now. Same issue.

[lieser]

I must apologize, I totally forgot an important detail about the DKIM_SIGERROR_KEY_TESTMODE error. E-mails signed by a domain which is only testing DKIM (like you domain does) are by default treated like unsigned messages. To change this behavior, you need to change an advanced preference.

This only leaves the DKIM_SIGERROR_NOKEY error from you inital post. This should still be have shown as an error, an colored accordingly.

[progval]

Oh, I did not know about that mode! I should have looked more carefully at the meaning of the things I copy-paste into my config. It works now, thank!

(Great extension, by the way)

[lieser]

Nice to hear that it now works whiteout a problem. Can you can still reproduce the problem from your initial post (DKIM_SIGERROR_NOKEY error not correctly colored)? Otherwise I will consider this issue as closed.

[progval]

No.