New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot add a void DKIM header field #1966
Comments
Please note that the DKIM RFC treats empty and omitted fields differently. First of all, If you want to add empty values, you should make sure the header field is there with an empty value. This is equal to your "void" as in it will invalidate the signature once the header would be added and have an actual value. Using non-existing headers while building the signature is problematic, because the verifier on the receiving end probably will not include the missing headers on Verification. Verifiers are likely to verify with "skepticism", ignoring the missing headers altogether. |
If I add header field X-Header: then this will be an empty field. I can also add X-Header to the list of DKIM fields and the it will be added to the signature and validated on receipt. |
I do not agree! If you explicitly configure PHPMailer to use X-header in the signature, you should also make sure it is there! Your monkey, your circus, or in other words; your responsibility. Next to that, if someone maliciously would add the X-header, which was not part of the signing, there is no problem yet. Headers are added down the line (X- ones moreover) which have no effect on the integrity of the email itself. If it has effect on the integrity, my previous statement holds, you should make sure it is added yourself in the first place.... |
I think I'm with @XL-2000 on this one. The most obvious example of unsigned headers is That said, this quote:
applies to tags within the DKIM sig header itself, not headers in general, so I don't think it has any impact on what headers are signed. What does have an impact is this, in the definition of the
So while you may include headers that don't exist in the signature, they do not contribute to the signature including the name of the field. This means that adding a non-existent header to the signature will not prevent its addition, because an actor adding such a header can also remove its name from the |
"If you explicitly configure PHPMailer to use X-header in the signature, you should also make sure it is there!". An example to show where this is vulnerable: I compose an email but I do not specify a Reply-To: address. A response would go to my From: address. Now a hacker somehow modifies the email and inserts a fake Reply-To: header. Since PHPMailer did not include Reply-To in the DKIM h= field even when Reply-To is in the standard set of fields this will go undetected and the DKIM record will validate. A response will now go to the faked Reply-To address. |
That can't work because of the reason I posted above. Anyone that can add a previously nonexistent header can also remove it from the To elaborate in case it's unclear: if we have this header (what you're proposing):
an attacker can modify it to this undetected:
and there's nothing we can do about it except make our initial message:
|
"Anyone that can add a previously nonexistent header can also remove it from the h tag without affecting the DKIM signature."
Subject: hello Now if anyone modifies the DKIM signature including the h= field or any of the header fields or adds a Reply-To: field then the verification will fail. Try it out if you need further convincing. |
I think this is unclear in the definition of the
So you're quite right. |
PHPMailer 6.1.4 - If one of the default DKIM header fields of any added header field does not exist in the mail header then the field name is not included in the DKIM record.
A void header field is however allowed and it does have a function. A void field is a header field that has no value, for example X-Mailer:
A void field specifies that the header is not present and adding the header later would invalidate the DKIM key.
PHPMailer should therefore add all the requested header fields to the DKIM record, even if no actual matching header field is found.
The text was updated successfully, but these errors were encountered: