mdomsch
commented
4 years ago The mail is being received for alum.mit.edu by Office365, which adds the malformed AR header, and keeps it there when forwarded to its final destination.
Open mdomsch opened 4 years ago
mdomsch
commented
4 years ago The mail is being received for alum.mit.edu by Office365, which adds the malformed AR header, and keeps it there when forwarded to its final destination.
martinbogo
commented
4 years ago @mskucherawy and I will review.
mdomsch
commented
4 years ago It fails because outlook.com/Office 365 is not including it's own host name as the first item in the header, as it should. I don't know why that is, but when I see the message delivered also into the outlook.com mailbox, it has the added AR header without the host name as the first item.
mdomsch
commented
4 years ago https://github.com/jstedfast/MimeKit/issues/490 notes the same problem.
mdomsch
commented
4 years ago https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/email-validation-and-authentication?view=o365-worldwide describes their creation of the header. No authserv-id is ever shown.
mikenor
commented
3 years ago This looks like a duplicate of #48.
kenfc
commented
2 years ago OpenDKIM header read failures with emails from Microsoft services has been a problem for me for a very long time,
I keep hoping to see a project update or at least a patch for the issue. But to be honest, I'm beginning to wonder if the project has been abandoned
maxfieb
commented
2 years ago This happens with all o365 signed emails. They omit the ADMD on DKIM signatures. Arbitrary example :
Authentication-Results:
compauth=<fail | pass | softpass | none> reason=
OpenDKIM only understands AR headers with the ADMD; in place. For DKIM the ADMR seems optional out in the world.
Authentication-Results: thefunkychecken.com;
compauth=<fail | pass | softpass | none> reason=
Its a bit hard to follow, but it seems like the parser in opendkim-ar.c assumes there will always be an ADMD present
Google etc., accept the Authentication-Results from o365 without an error, as do o365 instances.
For DKIM at least, seems like the starting "something;" token(s) after the header name, should be optional.
opendkim 2.11.0-Beta2 reports in maillog: failed to parse Authentication-Results: header field
I patched it to include the offending header content in the syslog to find it:
Authentication-Results: spf=pass (sender IP is 209.85.219.172)#012 smtp.mailfrom=example.org; alum.mit.edu; dkim=pass (signature was verified)#012 header.d=example.org;alum.mit.edu; dmarc=pass action=none#012 header.from=example.org;compauth=pass reason=100
This header is being added by MX alum-mit-edu.mail.protection.outlook.com which receives mail on behalf of the MIT alum.mit.edu email forwarding service, before forwarding on to the true destination address. At that true destination, opendkim reports its inability to parse this header.
When mail is sent directly from example.org to the true destination address (not going through the alum.mit.edu forwarder), the above header is not added, and opendkim works as expected.