Exchange Online Protection modifying MIME parts of inbound messages

Copper Contributor

Is it normal for Exchange Online Protection to modify the body of messages in transit?  It seems like this would break DKIM, S/MIME, and PGP signatures, among other concerns.

 

Body of message in transit, as enqueued to Exchange Online Protection

--f403043c34cc657e800562729e22
Content-Type: text/plain; charset="UTF-8"

test 123

--f403043c34cc657e800562729e22
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">test 123</div>

--f403043c34cc657e800562729e22--

Body of message after processed by Exchange Online Protection

--f403043c34cc657e800562729e22
Content-Type: text/plain; charset="UTF-8"
X-Microsoft-Exchange-Diagnostics:
    1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4
X-Microsoft-Antispam-Message-Info:
    fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/

test 123

--f403043c34cc657e800562729e22
Content-Type: text/html; charset="UTF-8"
X-Microsoft-Exchange-Diagnostics:
    1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4
X-Microsoft-Antispam-Message-Info:
    fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr">test 123</div>

--f403043c34cc657e800562729e22--

 

3 Replies

Those seem like just additional headers that are added by EOP, or am I missing something here?

They are not being added as headers of the message, as defined by https://tools.ietf.org/html/rfc5322 (which would not affect the DKIM signature).  They're being added as MIME body part headers within a multipart construct, as defined by https://tools.ietf.org/html/rfc2045 (DKIM does not have a mechanism for signatures to survive this type of modification.)

 

This makes it impossible for clients to validate DKIM signatures, which seems to not honor the spirit of the DKIM internet standard https://tools.ietf.org/html/rfc6376

 

2.2.  Verifiers

   Elements in the mail system that verify signatures are referred to as
   Verifiers.  These may be MTAs, Mail Delivery Agents (MDAs), or MUAs.
   In most cases, it is expected that Verifiers will be close to an end
   user (reader) of the message or some consuming agent such as a
   mailing list exploder.

I'm wondering if that's intentional.