#131 Mails with multiple signatures result in DMARC=fail if the SPF test fails even though one valid and aligned DKIM signature exists

[Tom]

Scenario: Amazon is sending some newsletters and invoices with two valid DKIM Signatures, one for the domain amazonses.com and one for Amazon.de. Both signatures are valid. Opendkim is used to validate the signatures and validates both.
Resulting Authorization header:

---

Authentication-Results: mailhub-1.mail.etat.lu;
dkim=pass reason="1024-bit key; insecure key" header.d=amazonses.com header.i=@amazonses.com header.b=b+vKgg/t;
dkim=pass reason="1024-bit key; insecure key" header.d=amazon.de header.i=@marketplace.amazon.de header.b=FSBO9bfD;
dkim-atps=neutral

---

Opendmarc returns “fail” for the the DKIM test if both Signature results are included in the DKIM-Authentication-Results field and returns pass if only one is included. This happens under the assumption that the SPF test fails. This behaviour is not correct according to RFC, as one valid and aligned DKIM signature should be sufficient.

https://www.rfc-editor.org/rfc/rfc7489.txt
3.1.1. DKIM-Authenticated Identifiers
…
Note that a single email can contain multiple DKIM signatures, and it is considered to be a DMARC "pass" if any DKIM signature is aligned and verifies.

As some of our users are forwarding messages, the SPF test of the forwarded message is not correct. As DKIM test fails too due to this behaviour that is not RFC conformant, the overall result is “fail”.

Result of both runs:
host::~ # opendmarc -t /tmp/amazon-pass.eml -vv -c /usr/local/config/opendmarc/opendmarc.conf
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 4: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 11: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 19: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 20: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 21: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 22: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 23: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 24: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 25: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 26: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 28: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 29: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 30: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 32: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 33: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-pass.eml: line 34: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='mailhub-1.mail.etat.lu; spf=pass smtp.mailfrom=sender@example.org'
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='mailhub-1.mail.etat.lu/DEBUG-i; dmarc=pass header.from=marketplace.amazon.de'
opendmarc: /tmp/amazon-pass.eml: mlfi_eom() returned SMFIS_ACCEPT
opendmarc: mlfi_close() returned SMFIS_CONTINUE

host:~ # opendmarc -t /tmp/amazon-fail.eml -vv -c /usr/local/config/opendmarc/opendmarc.conf
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 5: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 12: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 20: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 21: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 22: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 23: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 24: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 25: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 26: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 28: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 29: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 30: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 32: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 33: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 34: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /tmp/amazon-fail.eml: line 35: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='mailhub-1.mail.etat.lu; spf=pass smtp.mailfrom=sender@example.org'
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='mailhub-1.mail.etat.lu/DEBUG-i; dmarc=fail header.from=marketplace.amazon.de'
opendmarc: /tmp/amazon-fail.eml: mlfi_eom() returned SMFIS_CONTINUE
opendmarc: mlfi_close() returned SMFIS_CONTINUE

Both files are included. The original message is not included for privacy reasons. This should not be required as opendmarc relies on the authentication-results header.

[Tom]

Second test file with an Authentication-Results header with one DKIM signature

[A. Schulze]

Tom, thanks for the Ticket :-)

same problem here: how to reproduce:

/tmp/config
PublicSuffixList /tmp/public_suffix_list.dat
TrustedAuthservIDs fail.example.org

/tmp/msg
Authentication-Results: pass.example.org;
dkim=pass (1024-bit key; unprotected) header.d=amazon.de header.i=@marketplace.amazon.de header.b=U/hJ6PWq
Authentication-Results: fail.example.org;
dkim=pass (1024-bit key; unprotected) header.d=amazonses.com header.i=@amazonses.com header.b=mJxKopq2;
dkim=pass (1024-bit key; unprotected) header.d=amazon.de header.i=@marketplace.amazon.de header.b=U/hJ6PWq
From: "Amazon Marketplace" redacted@marketplace.amazon.de

body

opendmarc -vv -c /tmp/config -t /tmp/msg

-> dmarc=fail

if you change the config to trust the A-R header from pass.example.org you get a dmarc-pass

[Tom]

Will this be fixed?

[A. Schulze]

I hope so!
Do you have any programming skills to assist?

[Tom]

My language skills in "C" are fairly limited. I have never opened any of the opendmarc files. I believe the change could be done easily by someone who knows the code.

[A. Schulze]

I guess I found the bug. Patch attached

[Tom]

Thanks. The patch works for me.

Did you test the patch with many test cases? Will it be integrated in the next release?

[A. Schulze]

it's simply in production
take the source, run 'grep opendmarc_policy_check_alignment libopendmarc/opendmarc_policy.c' and you see the difference...

[Murray S. Kucherawy]

Patch applied.

[Murray S. Kucherawy]

v1.3.2 relesed, containing this fix.