Home

Exchange Online Protection modifying MIME parts of inbound messages

%3CLINGO-SUB%20id%3D%22lingo-sub-143919%22%20slang%3D%22en-US%22%3EExchange%20Online%20Protection%20modifying%20MIME%20parts%20of%20inbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143919%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20normal%20for%20Exchange%20Online%20Protection%20to%20modify%20the%20body%20of%20messages%20in%20transit%3F%26nbsp%3B%20It%20seems%20like%20this%20would%20break%20DKIM%2C%20S%2FMIME%2C%26nbsp%3Band%20PGP%20signatures%2C%20among%20other%20concerns.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBody%20of%20message%20in%20transit%2C%20as%20enqueued%20to%20Exchange%20Online%20Protection%3C%2FP%3E%0A%3CPRE%3E--f403043c34cc657e800562729e22%0AContent-Type%3A%20text%2Fplain%3B%20charset%3D%22UTF-8%22%0A%0Atest%20123%0A%0A--f403043c34cc657e800562729e22%0AContent-Type%3A%20text%2Fhtml%3B%20charset%3D%22UTF-8%22%0A%0A%26lt%3Bdiv%20dir%3D%22ltr%22%26gt%3Btest%20123%26lt%3B%2Fdiv%26gt%3B%0A%0A--f403043c34cc657e800562729e22--%3C%2FPRE%3E%0A%3CP%3EBody%20of%20message%20after%20processed%20by%20Exchange%20Online%20Protection%3C%2FP%3E%0A%3CPRE%3E--f403043c34cc657e800562729e22%0AContent-Type%3A%20text%2Fplain%3B%20charset%3D%22UTF-8%22%0AX-Microsoft-Exchange-Diagnostics%3A%0A%20%20%20%201%3BBN6PR05MB2833%3B27%3AKggba7aJSKdGRUbWQbPxXD6C%2FSek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd%2Bmj0Y%2BpXNC%2FC5iEbJImUyYsMJ4cZzQcKg3%2BbNgqEWYXZIQb7hV7hnAr4EPNNG%2BG8E3Mr4Jh4%0AX-Microsoft-Antispam-Message-Info%3A%0A%20%20%20%20fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1%2F%0A%0Atest%20123%0A%0A--f403043c34cc657e800562729e22%0AContent-Type%3A%20text%2Fhtml%3B%20charset%3D%22UTF-8%22%0AX-Microsoft-Exchange-Diagnostics%3A%0A%20%20%20%201%3BBN6PR05MB2833%3B27%3AKggba7aJSKdGRUbWQbPxXD6C%2FSek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd%2Bmj0Y%2BpXNC%2FC5iEbJImUyYsMJ4cZzQcKg3%2BbNgqEWYXZIQb7hV7hnAr4EPNNG%2BG8E3Mr4Jh4%0AX-Microsoft-Antispam-Message-Info%3A%0A%20%20%20%20fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1%2F%0A%0A%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3Dutf-8%22%26gt%3B%26lt%3Bdiv%20dir%3D%22ltr%22%26gt%3Btest%20123%26lt%3B%2Fdiv%26gt%3B%0A%0A--f403043c34cc657e800562729e22--%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-143919%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDKIM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInternet%20Standards%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMIME%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPGP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eprotection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESMIME%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144334%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20modifying%20MIME%20parts%20of%20inbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144334%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20are%20not%20being%20added%20as%20headers%20of%20the%20message%2C%20as%20defined%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc5322%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc5322%3C%2FA%3E%26nbsp%3B(which%20would%20not%20affect%20the%20DKIM%20signature).%26nbsp%3B%20They're%20being%20added%20as%20MIME%20body%20part%20headers%20within%20a%20multipart%20construct%2C%20as%20defined%20by%20%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc2045%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc2045%3C%2FA%3E%26nbsp%3B(DKIM%20does%20not%20have%20a%20mechanism%20for%20signatures%20to%20survive%20this%20type%20of%20modification.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20makes%20it%20impossible%20for%20clients%20to%20validate%20DKIM%20signatures%2C%20which%20seems%20to%20not%20honor%20the%20spirit%20of%20the%20DKIM%20internet%20standard%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6376%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6376%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E2.2.%20%20Verifiers%0A%0A%20%20%20Elements%20in%20the%20mail%20system%20that%20verify%20signatures%20are%20referred%20to%20as%0A%20%20%20Verifiers.%20%20These%20may%20be%20MTAs%2C%20Mail%20Delivery%20Agents%20(MDAs)%2C%20or%20MUAs.%0A%20%20%20In%20most%20cases%2C%20it%20is%20expected%20that%20Verifiers%20will%20be%20close%20to%20an%20end%0A%20%20%20user%20(reader)%20of%20the%20message%20or%20some%20consuming%20agent%20such%20as%20a%0A%20%20%20mailing%20list%20exploder.%3C%2FPRE%3E%0A%3CP%3EI'm%20wondering%20if%20that's%20intentional.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144272%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20modifying%20MIME%20parts%20of%20inbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144272%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20seem%20like%20just%20additional%20headers%20that%20are%20added%20by%20EOP%2C%20or%20am%20I%20missing%20something%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Jesse Thompson
Occasional Contributor

Is it normal for Exchange Online Protection to modify the body of messages in transit?  It seems like this would break DKIM, S/MIME, and PGP signatures, among other concerns.

 

Body of message in transit, as enqueued to Exchange Online Protection

--f403043c34cc657e800562729e22
Content-Type: text/plain; charset="UTF-8"

test 123

--f403043c34cc657e800562729e22
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">test 123</div>

--f403043c34cc657e800562729e22--

Body of message after processed by Exchange Online Protection

--f403043c34cc657e800562729e22
Content-Type: text/plain; charset="UTF-8"
X-Microsoft-Exchange-Diagnostics:
    1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4
X-Microsoft-Antispam-Message-Info:
    fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/

test 123

--f403043c34cc657e800562729e22
Content-Type: text/html; charset="UTF-8"
X-Microsoft-Exchange-Diagnostics:
    1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4
X-Microsoft-Antispam-Message-Info:
    fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr">test 123</div>

--f403043c34cc657e800562729e22--

 

2 Replies
Highlighted

Those seem like just additional headers that are added by EOP, or am I missing something here?

Highlighted

They are not being added as headers of the message, as defined by https://tools.ietf.org/html/rfc5322 (which would not affect the DKIM signature).  They're being added as MIME body part headers within a multipart construct, as defined by https://tools.ietf.org/html/rfc2045 (DKIM does not have a mechanism for signatures to survive this type of modification.)

 

This makes it impossible for clients to validate DKIM signatures, which seems to not honor the spirit of the DKIM internet standard https://tools.ietf.org/html/rfc6376

 

2.2.  Verifiers

   Elements in the mail system that verify signatures are referred to as
   Verifiers.  These may be MTAs, Mail Delivery Agents (MDAs), or MUAs.
   In most cases, it is expected that Verifiers will be close to an end
   user (reader) of the message or some consuming agent such as a
   mailing list exploder.

I'm wondering if that's intentional.  

Related Conversations
Office 365 domain using external email server
SimonNZ in Office 365 on
1 Replies
Group and User Mix-up
Ruby_Monday in Office 365 on
3 Replies
Ports
Rising Flight in Office 365 on
0 Replies