DKIM signature fails with attachment

[arnaudpoullet]

Hi, first of all thank you for your work.

It's been a few months now that I haven't been able to solve my problem even with the most recent PHPMailer. Sending an email without an attachment is always correctly done but I've never been able to have a valid signature when adding a PDF as attachment. I even tried the

instead of calling normalizeBreaks() i call SimpleBodyCanonicalization() at DKIM_BodyC

mentionned by gothge on 30/11/2017

Also I have seen there was an issue before with attachments that seemed to even having been tested but no luck on my side. Maybe I'm missing something? Even though I did read the recently added example.
By just removing the 2 lines that adds my attachment I get a correctly signed DKIM email.

<?php
require_once "vendor/PHPMailer/phpmailer/src/PHPMailer.php";
require_once "vendor/PHPMailer/phpmailer/src/Exception.php";
use PHPMailer\PHPMailer\PHPMailer;

function sendEmail($subject,$content,$email,$altBody,$orderRef4pdf=""){

    $emailObject = new PHPMailer();
    $emailObject->From      = 'info@website.com';
    $emailObject->FromName  = 'My Website';
    $emailObject->Subject   = $subject;
    //$email->Body      = $content;
    $emailObject->MsgHTML($content);
    $emailObject->IsHTML(true);
    $emailObject->CharSet="utf-8";

    //Replace the plain text body with one created manually
    $emailObject->AltBody = $altBody;
    $emailObject->addReplyTo('info@website.com', 'My Website');
    $emailObject->AddAddress($email);
    $emailObject->DKIM_domain='website.com';
    $emailObject->DKIM_private="dkim_private.pem";
    $emailObject->DKIM_selector = '000000000.website';
    $emailObject->DKIM_identity=$emailObject->From;
    $emailObject->DKIM_copyHeaderFields=false;


    //Add attachment
    $file_to_attach = 'invoices/invoice_'.$orderRef4pdf.'.pdf';
    $emailObject->AddAttachment( $file_to_attach , 'invoice_'.$orderRef4pdf.'.pdf' );

    return $emailObject->Send();
}

[XL-2000]

I have been using DKIM icw attachments without any problems.
Some settings which I see are different between my script and yours (and which you can try):

1. I dont use $emailObject->IsHTML(true); although I am sending HTML emails, try commenting this out
2. I use $emailObject->CharSet="utf-8"; BEFORE adding any content or attachment, so try moving it up
3. Check if your file location is correct and it exists. Try using a fully qualified path to make sure you are in the correct context
4. and use debugging and logging to provide us with more insights into what is happening

[timreeves]

I'm also having the problem that emails with attachments are failing the dkim checks.
I'm using debian 9 servers managed with Plesk Obsidian, for both sending and receiving mails (2 different servers). The SMTP service for PHPMailer is provided by a third (plesk debian) server.
At first all signing failed, using the Plesk 1024 bit keys. After much testing I finally moved to the 2048 bit keys and DNS records generated by the php code snippet provided here, and then it started working, dkim checks valid.
EXCEPT when attachments are present. Then various other instances say the signature is invalid:

• SpamAssassin (as configured by Plesk). I looked at /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm (1328 lines of Perl) hoping to understand its algorithm, but I don't know Perl )-:
• However Plesk configures Postfix to add the "Authentication-Results:" header (despite trying hard I could not find out how) the result there is also dkim=fail.
• Finally I installed the DKIM Verifier Addon for Thunderbird and set it to always do its own testing, and it also says Invalid, the email was modified.

DKIM Verifier for TB is JavaScript, I found this function in it:
function canonicalizationBodySimple(body) {
// Ignore all empty lines at the end of the message body
// If there is no body or no trailing CRLF on the message body, a CRLF is added
// for some reason /(\r\n)*$/ doesn't work all the time
// (especially in large strings; matching only last "\r\n")
body = body.replace(/((\r\n)+)?$/,"\r\n");

I assume we should compare that with:
public function DKIM_BodyC($body)
{
if (empty($body)) {
return self::CRLF;
}
// Normalize line endings to CRLF
$body = static::normalizeBreaks($body, self::CRLF);
//Reduce multiple trailing line breaks to a single one
return static::stripTrailingWSP($body) . self::CRLF;
}

But to be honest I'm running out of steam having spent 2 days on this topic, and not at all sure that I have quoted relevant code above, mayhap the problem is elsewhere. But I hope I can trigger some help / feedback.

And of course, many thanks to all involved in PHPMailer!

Tim

[timreeves]

I now also tested the email with https://dkimvalidator.com/ - same result, fail, body has been altered.

[Synchro]

@timreeves are you using 6.1.5?

[timreeves]

@Synchro wow you are quick! No, 6.1.4 - but I only picked it up from Github a few days ago, is there a new version already?

[Synchro]

I released it just a few days ago, and there are quite a lot of DKIM changes in it. See release notes.

[timreeves]

I fetched 6.1.5, restarted FPM to be sure no php in cache, and tried it again - unfortunately no, still failing with attachments. If you tell me exactly what you need I can upload files / excerpts. Thanks!

[timreeves]

I have now tested 6.1.5 with HTML and Plain Text bodies, without attachment, the signature is valid. I will proceed with my PHPMailer Wrapper suppressing signing when an attachment is present. It's not great, but I can move on.
Kopie Ihrer Buchungsanfrage an Biblische Reisen Deutschland - Buchungsanfragen OHNE ANHANG.txt
Kopie Ihrer Buchungsanfrage an Biblische Reisen Deutschland - Buchungsanfragen.txt
I have attached the last 2 form submission emails (renaming .eml to .txt), the first one "OHNE ANHANG" is multipart but has no attachments and is judged valid, the other one with attachments is judged invalid. Hope this helps!

[oom-]

To add an AltBody make the DKIM fail too, I suppose that it's linked

[Synchro]

As you will have no doubt noticed, testing DKIM is quite difficult, time consuming, and largely depends on using external tools, often with annoying limitations. To make that easier I've been working on the PHPMailer DKIM Validator, and eventually this should allow DKIM tests to become part of the test suite without involving any external domains or DNS. It's still not quite there yet but once that's working properly it will be much easier to diagnose DKIM problems, unit test, and prevent regressions. It's likely that it would be useful for other PHP mail libraries too as they all suffer the same testability problem.

[oom-]

@Synchro wish you good luck, can't wait that all of this go forward. 👍🏻

[OmicronDelta-007]

Same here. Signature fails when adding Image (AddEmbeddedImage).
When i remove the inline images the signature passes.

[Steveland]

Same error here with latest PHPMailer (6.2) on debian 9 Stretch server (OVH VPS).

DKIM signature is OK without attachment but fails when using addAttachment or addStringAttachment with a pdf file.

Anyone found a fix for this?

[juslintek]

Hi, thank you for phpmailer!

I use exim to handle DKIM preparation, works even faster, because process dedicated and optimised for email sending/receiving is handling it. So in case you do not have it working. You can do the same by following these docs: https://exim.org/exim-html-4.93/doc/html/spec_html/ch-dkim_spf_and_dmarc.html until this gets fixed.

But you can do the same with postfix and sendmail, by following these guides:

• sendmail: https://meumobi.github.io/sendmail/2015/09/18/install-configure-dkim-sendmail-debian.html
• postfix: https://easydmarc.com/blog/how-to-configure-dkim-opendkim-with-postfix/

Or any other, there are plenty of them online. :-)

Hope it helps :-)

[Synchro]

I would always recommend getting your mail server to do DKIM signing for you if you can!