DKIM verification broken on Outlook 365/Exchange because of tampered HTML

Authentication-Results: spf=pass (sender IP is 209.85.128.173) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass reason=100

monperrus
Copper Contributor
Feb 23, 2024
DomP66thanks for looking into this.

yes, the outlook server is able to verify the authenticity of the gmail message.

however, we, users are not able to verify the authenticity using tools such as https://github.com/lieser/dkim_verifier/

this is because the message has been tampered by outlook/exchange server, and we don't have access to the original message sent by gmail.

as a conclusion, we have no guarantee that the header is correct and that the message was actually sent and signed with the given dkim key.
- DomP66
  Brass Contributor
  Feb 23, 2024
  I see. Well if you don't trust Outlook enough to believe the Authentication-Results header, it's arguable whether you should be trusting Outlook at all with your emails!
  - plieser
    Copper Contributor
    Mar 03, 2024
    Note that there are two different issues with Outlook.
    First the one already discussed here, Outlook modifying HTML mails.
    
    Like you wrote reading the Authentication-Results header should be a possible workaround to use.
    Unfortunately this is where the second Problem with Outlook comes in play:
    
    The Authentication-Results header that Outlook is writing is not a valid one that follows the specification in the RFC.
    One violation being that it is missing the in my opinion important part of the authserv-id.
    
    See https://github.com/lieser/dkim_verifier/issues/300#issuecomment-1428735628 and https://answers.microsoft.com/en-us/outlook_com/forum/all/authentication-results-header-written-by-outlook/890b304c-3c81-48b6-b065-36fad3b551e4 for details.

Forum Discussion

DKIM verification broken on Outlook 365/Exchange because of tampered HTML

Resources