New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change DKIM header fields #1965
Comments
You can set
If this is the case, how can or would you distinguish malicious and "trusted" intrusions or injections? In other words, the whole point of DKIM is to make sure no illegal alterations were made between generating the message and reading it. If changes are being made, how would you be able to state anything about the authenticity of the message?
|
Well, the standard list defined by PHPMailer is arbitrary and open for discussion to what fields should be included or not. My point is that there is no configurable way to exclude fields from the standard list, you can add fields however with DKIM_extraHeaders. Commercial mail providers and large companies generally have less fields that they include in the DKIM signature. They do that for a reason. A major issue with DKIM is that mail servers tend to modify certain header fields. Mail servers that you as a sender do not control. Then the only alternative may be to not sign a field that is known to give problems or accept that your mails will not arrive. I have seen this happening to Message-ID where mail servers add their own Message-ID. |
It's not arbitrary – It's the recommended set straight from RFC6376. I would expect that changing a message ID is itself an RFC contravention, as it will break lots of things, especially threading. |
What Synchro states is correct. I understand what you say Klaas, but IMO you are trying to solve the "problem" in the wrong place. If servers are changing the headers, you should raise an issue there. The auto sign fields should not be modified in any case |
"It's not arbitrary – It's the recommended set straight from RFC6376." However I do not want to drop or even change the standard list. It is a usefull starting point. I just want to be able to take one or two standard fields out. "If servers are changing the headers, you should raise an issue there." This is a nice point but how do you beat several 10000 mail servers and their maintainers? They are all to chicken to change something in case it will break their system and I cannot even blame them (too much). |
In my experience some sending services (eg SES) override Message-ID header, so if you have signed the message with your Message-ID value, then signature fails. There are two options:
|
I'm strongly in favour of 2. I'm glad you're here @andris9! Since both you and @KlaasBonnema seem to know what you're talking about when it comes to DKIM, I could use some help with my DKIM Validator. I've been comparing it with Scott Kitterman's python validator, but that code is really hard to read. |
IDK if it's any help but I've been recently building a similar validator/signer for Node.js. You can find the source here. Not sure if it is any easier to read than the Python code as there are no comments and it's still alpha (even though it should work fine). The library processes messages as streams, so the dkim body hash calculation is a bit more complex then it would be when processing the entire message at once (eg. the stream processor needs to keep track of whitespaces to know if it needs to normalise these or not). |
I saw that too! My main problem is around headers, specifically canonicalisation. There is some ambiguity about how to deal with DKIM-Signature headers; you need to remove the What would be really great is to be able to see how your library canonicalises some examples so that I can compare what I'm doing, but my JS isn't up to figuring that out! |
In general verifying is exactly the same as signing except that you have to use the algorithms specified in the DKIM-Signature header instead of choosing these yourself. And obviously, instead of signing the final header data, you verify it against the signature found from the DKIM-Signature header. The process is following
Example Headers:
This is the list of header keys (notice that Subject is listed twice)
So the header fields to check for after filtering and reordering are the following (notice the ordering of Subject fields):
next validate it against the key from ...and it should match |
Thank you, that's very useful. Could you show the canonicalised version of that example?
We apply normal DKIM canonicalisation: unfolding, reducing whitespace, remove leading space, lowercase field name, remove
Should the canonicalisation apply DKIM's internal requirement to strip spaces within the value as part of the process? Giving:
Or is it left in its canonical form for hashing, but then the spaces are stripped before parsing the DKIM tags within the value? |
Oh sure, forgot that. When using relaxed algo then you unfold the folded header line (in this case only the DKIM-Signature as other fields are not folded). For simple algo you keep the headers as is (except ordering). I'll add the example signature data later when I'm back at my computer (on phone right now). |
A good validation reference is check-auth@verifier.port25.com. Send the email that you want to verify to it and a detailed answer with an analysis will be returned. They also show the canonicallized data. As for the your mail service adding a Message-ID after you have added it before and used it to sign the message: Your mail service should NEVER add a Message-ID when there already is a Message-ID present. If they do this complain about it. (If they react is another thing...) When you know that your mail service is adding a Message-ID anyway then a fallback can be to not add it yourself. However you must then rely on the mail service to always do it. Can you be sure your mails always pass through this service? The drawback is that the Message-ID is not signed. (unless the mail server also signs the message...). Also the underlying purpose is that the Message-ID is used to follow the mail through the system. If you give up the right to add your own then you are missing out on the chance to set your own message-ID stamp on the mail If you can guarantee that your mail service signs every message then this can be an alternative. You can then still sign the message yourself because messages can have more than one signature and only one is needed to pass. |
I made a mistake with signature header ordering. DKIM-Signature goes to the bottom, not to the top. Here's the actual data that is verified against the public key and signature using relaxed (unfolded, trimmed, lowercase header keys) headers canonicalisation.
Each line ends with yet again - notice the ordering of subject fields. |
Perfect, thanks |
@Synchro If it's any help then I added a cli option for my DKIM/ARC/DMARC/SPF validator module. You can pipe an email message to a cli command, provide mock DNS responses (so you could sign messages with domains like "example.com" when testing) and get back a JSON formatted report for all signatures in the message. You can find the documentation for available arguments here and an example with input files (both a signed email and mock DNS responses) here.
|
Thanks @andris9 – I already have something similar in my validator to allow output in HTML, JSON, or plain text. My main motivation for writing it is to allow it to be used in unit tests for PHPMailer, so machine-readable command-line feedback is important. At the moment it's quite qualitative (listing which tests have passed or failed, along with overall verdicts), but your approach of including technical breakdowns is something I should do too. Hey, I could even make it compatible! |
PHPMailer (6.1.4) includes a default set of header fields in a DKIM key. There currently is no configuration parameter to make changes to this list, that is remove individual fields from the standard list of header fields.
There are situations that warrant changes to the list. A primary reason is that certain fields could be changed or replaced by mail servers down the line. Mail servers should not do that but you can rarely control their behaviour where you should be able to control the DKIM record if you (PHPMailer) is creating it.
The text was updated successfully, but these errors were encountered: