Malformed DKIM header & signature

This is a general forum about all topics, i.e. TrashMail.net, spam mails, email protection, privacy and other things.

Post Reply
User avatar
Saxtus
Posts: 94
Joined: 05 Oct 2009, 06:13
Location: Athens, Greece

Malformed DKIM header & signature

Post by Saxtus » 10 Jan 2013, 22:36

Hello.

It appears that Trashmail adds it's own DKIM signature to outbound emails.
That would be sweet from emails that originate from Trashmail, if the signature was working right.

From my tests, it seems that it suffers from two different problems, so depending on the originator, doesn't work right:
  • If it's an inbound email (forwarded), Trashmail adds it's own DKIM signature header (even if the original email, came with it's own DKIM signature) but d= is replaced with the originator's domain thus making the retrieved public key (if any) to have nothing to do with the key that resides at 2012._domainkey.trashmail.net TXT record -- Example case:

    Code: Select all

    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of trashmail@trashmail.net designates 88.198.11.51 as permitted sender) smtp.mail=trashmail@trashmail.net;
           dkim=pass header.i=@linkedin.com
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=linkedin.com; s=2012;
    	t=1357842364; bh=NxOWoPLcCEJOjspdv9sT9WYexoKte1g7/seXqA8qU8U=;
    	h=Date:From:To:Subject:Reply-To;
    	b=<signature1>
    Authentication-Results: trashmail.net; dkim=pass
    	(1024-bit key; insecure key) header.i=@linkedin.com
    	header.b=CsRT5x4x; dkim-adsp=pass
    DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
    	s=prod; d=linkedin.com;
    	h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl;
    	b=<signature2>
    DKIM-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed;
    	q=dns/txt; i=@linkedin.com; t=1357842362;
    	h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl:
    	X-LinkedIn-Template;
    	bh=iiNWCEHM7CIYkiZ/mQgTyolyobs=;
    	b=<signature3>
  • If it's an outbound email (one that originates from Trashmail itself, i.e. through the website's send mail form), the verify fails with the reason been "bad signature" -- Example case:

    Code: Select all

    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of <email>@trashmail.net designates 2a01:4f8:130:23a2:0:2:0:1 as permitted sender) smtp.mail=<email>@trashmail.net;
           dkim=hardfail header.i=@trashmail.net
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=trashmail.net; s=2012;
    	t=1357852976; bh=8FLQfTZgzZ3ocq3J8loVWohQ12JohLqmcyZ1VJJG/DM=;
    	h=Date:Subject:From:To;
    	b=<signature>
Opinions? :roll:


**I have omitted the actual signatures because forum doesn't allow over 3kb of text per post.

EDIT: Some more facts added after extensive testing.

Admin
Site Admin
Posts: 1243
Joined: 16 Jun 2006, 08:55
Location: Germany
Contact:

Re: Malformed DKIM header & signature

Post by Admin » 27 Jan 2013, 23:26

Could you please send me the full email header example which fails to support@trashmail.net?
In fact trashmail.net adds for each forwarded email a DKIM signature that you know if you receive original forwarded trashmail.net emails or manipulated faked ones.
Best regards,
Stephan Ferraro
Founder of TrashMail.com
CEO of Aionda GmbH

User avatar
Saxtus
Posts: 94
Joined: 05 Oct 2009, 06:13
Location: Athens, Greece

Re: Malformed DKIM header & signature

Post by Saxtus » 28 Jan 2013, 12:29

Welcome back!
Admin wrote:Could you please send me the full email header example which fails to support@trashmail.net?
Sent.
Admin wrote:In fact trashmail.net adds for each forwarded email a DKIM signature that you know if you receive original forwarded trashmail.net emails or manipulated faked ones.
And as I've said above, that would be nice if it was working right.

Admin
Site Admin
Posts: 1243
Joined: 16 Jun 2006, 08:55
Location: Germany
Contact:

Re: Malformed DKIM header & signature

Post by Admin » 02 Feb 2013, 10:07

Its semi fixed now.
DKIM signature is now correct, but forwarded emails contains only original DKIM signatures of the sender.
We can't put two different DKIM signatures in one email.
Best regards,
Stephan Ferraro
Founder of TrashMail.com
CEO of Aionda GmbH

User avatar
Saxtus
Posts: 94
Joined: 05 Oct 2009, 06:13
Location: Athens, Greece

Re: Malformed DKIM header & signature

Post by Saxtus » 02 Feb 2013, 22:35

Admin wrote:forwarded emails contains only original DKIM signatures of the sender.
We can't put two different DKIM signatures in one email.
As far as I can see, each forwarded e-mail, has at least a trashmail.net added DKIM signature, but it's pointing to the wrong domain name.
If sender's original DKIM signature is present, isn't affected and works as expected.

On the bright side, e-mails originated from trashmail.net, have a working DKIM signature now.

Post Reply