Feb 21 2024 08:55 PM
Hi Outlook365/Exchange team,
I'm doing end-to-end DKIM verification on my outlook.com inbox.
I notice that all HTML messages are DKIM invalid.
The reason is that the outlook MUA tampers with the HTML, breaking the DKIM cryptographic signature.
Reference: https://github.com/lieser/dkim_verifier/issues/300#issuecomment-1824874545
How to fix this such that we can do proper end-to-end DKIM integrity verification?
Thanks a lot!
--Martin
Feb 22 2024 01:34 AM - edited Feb 22 2024 02:21 AM
I just sent myself an html email from Gmail to Outlook and I got a DKIM pass. Outlook mailbox is on Exchange Online with custom domain:
Authentication-Results: spf=pass (sender IP is 209.85.128.173)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass
reason=100
Feb 23 2024 07:27 AM
@DomP66thanks for looking into this.
yes, the outlook server is able to verify the authenticity of the gmail message.
however, we, users are not able to verify the authenticity using tools such as https://github.com/lieser/dkim_verifier/
this is because the message has been tampered by outlook/exchange server, and we don't have access to the original message sent by gmail.
as a conclusion, we have no guarantee that the header is correct and that the message was actually sent and signed with the given dkim key.
Feb 23 2024 07:47 AM
Feb 23 2024 08:13 AM
Trust but verify.
Modifying email content undermines the whole integrity of DKIM.
Interestingly, outlook/exchange does not modify simple text/plain messages, only text/html ones.
Feb 23 2024 08:18 AM
Mar 03 2024 03:47 AM
Mar 03 2024 04:04 AM - edited Mar 03 2024 04:06 AM
It would definitely be nicer if Microsoft abided by the RFC, but if that's not going to be the case, you might have a decision to make for your extension: make the extension more useful to Outlook.com users, or doggedly stick to RFCs.
Not an easy decision to make, I accept that. Sticking to the RFC and encouraging people to use an alternative email provider would probably be my option.