Categories
Security

Outlook.com breaks DKIM signatures

Outlook.com breaks existing DKIM signatures by modifying a protected header value.

I’m currently implementing DKIM support for my Exim mail server, and due to this I’m sending a lot of test messages to all major freemail providers in Europe and the USA.

I noticed that Outlook.com breaks DKIM signatures since they modify one header as follows:

The original header I sent is

Content-Type: text/plain; charset=ISO-8859-1; format=flowed

while the header which I see when I fetch the received message with IMAP is the following:

Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

Noe the extra “double quotes” around the charset which are not transparent to “relaxed” Header Canonicalization. This causes Thunderbird’s “DKIM Verifier” extension to fail on this message.

What’s strange is that Outlook itself succeeds internally to verify the DKIM signature, so the modification to said header probably occurs after checking the original header. See below for what the header of the received message says about authentication:

Authentication-Results: ... dkim=pass (identity alignment result is pass and alignment mode is strict) header.d=example.org;

To solve this small issue I modified Exim’s list of headers to be signed as follows. Original set is

Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID

while I now only sign the following (which I consider to be sufficient):

Subject:To:From:Date:Message-ID

Let me know if you have any comments or suggestions.

By Ralf Bergs

Geek, computer guy, licensed and certified electrical and computer engineer, husband, best daddy.

Leave a Reply

Your email address will not be published. Required fields are marked *