Forum Discussion

monperrus's avatar
monperrus
Copper Contributor
Feb 22, 2024

DKIM verification broken on Outlook 365/Exchange because of tampered HTML

Hi Outlook365/Exchange team, I'm doing end-to-end DKIM verification on my outlook.com inbox. I notice that all HTML messages are DKIM invalid. The reason is that the outlook MUA tampers with the...
exchange
microsoft 365
monperrus's avatar
monperrus
Copper Contributor
Feb 23, 2024

DomP66thanks for looking into this.

 

yes, the outlook server is able to verify the authenticity of the gmail message.

 

however, we, users are not able to verify the authenticity using tools such as https://github.com/lieser/dkim_verifier/

 

this is because the message has been tampered by outlook/exchange server, and we don't have access to the original message sent by gmail.

 

as a conclusion, we have no guarantee that the header is correct and that the message was actually sent and signed with the given dkim key.

DomP66's avatar
DomP66
Brass Contributor
Feb 23, 2024
I see. Well if you don't trust Outlook enough to believe the Authentication-Results header, it's arguable whether you should be trusting Outlook at all with your emails!
  • plieser's avatar
    plieser
    Copper Contributor
    Mar 03, 2024
    Note that there are two different issues with Outlook.
    First the one already discussed here, Outlook modifying HTML mails.

    Like you wrote reading the Authentication-Results header should be a possible workaround to use.
    Unfortunately this is where the second Problem with Outlook comes in play:

    The Authentication-Results header that Outlook is writing is not a valid one that follows the specification in the RFC.
    One violation being that it is missing the in my opinion important part of the authserv-id.

    See https://github.com/lieser/dkim_verifier/issues/300#issuecomment-1428735628 and https://answers.microsoft.com/en-us/outlook_com/forum/all/authentication-results-header-written-by-outlook/890b304c-3c81-48b6-b065-36fad3b551e4 for details.
    • DomP66's avatar
      DomP66
      Brass Contributor
      Mar 03, 2024

      It would definitely be nicer if Microsoft abided by the RFC, but if that's not going to be the case, you might have a decision to make for your extension: make the extension more useful to Outlook.com users, or doggedly stick to RFCs.

      Not an easy decision to make, I accept that. Sticking to the RFC and encouraging people to use an alternative email provider would probably be my option.

      • steasenburger's avatar
        steasenburger
        Copper Contributor
        Apr 26, 2025

        Is there a place where one could create/ vote for a feature request that asks Microsoft to stick to the mentioned RFC?

  • monperrus's avatar
    monperrus
    Copper Contributor
    Feb 23, 2024

    DomP66 

    Trust but verify.

    Modifying email content undermines the whole integrity of DKIM.

    Interestingly, outlook/exchange does not modify simple text/plain messages, only text/html ones.

    • DomP66's avatar
      DomP66
      Brass Contributor
      Feb 23, 2024
      Outlook modifies all html prior to </head>, maybe as an anti-malware measure, maybe to format nicely on outlook.com. It's definitely deliberate though, and therefore unlikely to change.

Resources