Page 1 of 1

DKIM and reply address masking issue

PostPosted: Wed Jan 25, 2017 12:42 am
by josh
Hey everyone - Syskoll warned me about this, and I guess I knew it anyway, but the enforcement of DKIM that is currently going into place with providers like google/gmail is *not* compatible with spamgourmet's reply address masking feature -- that is, when we go in and change the "from" address to be one that will come back to spamgourmet instead of to the sender (so that we can change your from address to be the disposable address you were using), that breaks the integrity check that the DKIM enforcement runs later on -- sort of like, "this email says in its DKIM headers that it's from (or somewhere), but the 'from' address is [something] - somethings's not right, so REJECT. If this happens, you probably won't get any error message or any indication that the message has been sent.

I'm probably going to need some time to figure out an elegant way to make things work, but in the meantime, turning off reply address masking temporarily could help if you're expecting an email and it's not arriving (you probably have to click 're-send' wherever it was that sent it).

This only happens when both: 1) the sender has implemented DKIM rules, and 2) your email provider is enforcing them. So currently it won't happen very often, but probably it will happen more as time goes on.

So... this sucks, yes. But DKIM enforcement is a Good Thing, in my opinion. If we had things like that around a long time ago, probably there would be no need for spamgourmet.

I'll keep you posted.

Re: DKIM and reply address masking issue

PostPosted: Wed Jan 25, 2017 9:21 pm
by milkbadger
ARC should provide a solution once it is finalized and adopted by mail services.

Re: DKIM and reply address masking issue

PostPosted: Sun Jan 29, 2017 12:03 am
by lwc
If we had things like that around a long time ago, probably there would be no need for spamgourmet.

Well, spam can come from legitimate addresses too. The exclusive sender aspect of Spamgourmet gives you control over who can use your address. It helps you deal with mass messages which put your address in the TO or CC instead of BCC, poorly guarded databases or when your address is plain out sold to a third party (no way to know whodunnit without Spamgourmet).

Re: DKIM and reply address masking issue

PostPosted: Fri Mar 31, 2017 1:57 am
by josh
I did a quick hack workaround that simply deletes the first line of DKIM headers when you have reply address masking turned on. This seems to sort of work in my pitifully-less-than-comprehensive tests, so I'm running with it until we come up with something better. Apologies in advance for any weirdness.

edit: I soon realized I didn't need to be so violent, so now it simply changes "DKIM-Signature" to "OriginalDKIM-Signature" and leaves the rest intact. That way (at least with my testing) the header is still there, but it's not recognized by the MTA so there's no processing/validation of it.

This is still not an elegant and hopefully not a permanent solution, because obviously it defeats the benefits of DKIM between the original sender and the spamgourmet user (I guess you can still do manual DKIM validation with this new approach - haha, we all know how to do that of course...), so we'll have to come up with something better. But my hope is that this workaround will keep the mail from disappearing in the near term.

Re: DKIM and reply address masking issue

PostPosted: Mon Apr 10, 2017 11:15 am
by McBonkerz
It's nice that email providers are getting round to doing a little security work, 40 years later.

Having spent quite a bit of time as a total novice in such activities as ad-blocking, protecting personal data, obfuscating my identity and generally covering my tracks (with the aid of AdBlock, Ghostery, Priv, VPN, Tor, etc), it was brought to my attention that the entire construction of the internet could be viewed as a surveillance tool. There doesn't seem to be any thought whatsoever with regards privacy for the individual. I accept there are a lot of legacy issues in common with most constantly evolving systems, but I find it very difficult to imagine a banking network being set up in this way or a military comms system. Espionage is much older than the internet. The designers seem quite negligent in respect to security/privacy, despite the fact that we know how nosy governments and corporations are. I'm not given to conspiracy theories but it does seem a little odd.

I heard the father of the net, Tim Berners Lee, pontificating on the issue and I like the guy but isn't he one of the major offenders in this respect?

Re: DKIM and reply address masking issue

PostPosted: Sun Apr 23, 2017 11:57 pm
by josh
A user let me know that the DMARC - DKIM problem happens even when reply address masking isn't enabled due to the change to the subject line. For that reason, I moved the temporary fix to apply to all email coming through.

Re: DKIM and reply address masking issue

PostPosted: Wed May 03, 2017 3:44 pm
by josh
looks like we may still be getting DMARC failures due to SPF (not DKIM) when reply address masking is *not* on - there can be a SPF fail if our IP address is not listed as a permitted sender for the domain in the From: address (and it almost never will be listed of course) - the workaround for that particular issue would be to turn on reply address masking, which changes the From: domain to one of ours. Currently brainstorming more elegant solutions that won't tank our server.

This particular problem is much more widespread than just spamgourmet, btw - it tends to hit any service that forwards email, such as a lot of mailing lists.

And all these issues are determined both by the DMARC settings of the original sender domain *plus* the DMARC interpretation policies of the ultimate recipient service provider, so behavior will seem really inconsistent

Re: DKIM and reply address masking issue

PostPosted: Thu Jan 04, 2018 12:38 pm
by Clewby
I hope that ARC will provide an elegant solution for spamgourmet, although anything that uses cryptographic validation is likely to add to server load.

I can see from reading around ARC that one of the use-cases it is aimed at is mailing lists, and I hope that there are enough mailing lists that do not forward on the originating sender's address (for privacy reasons) that an appropriate solution can be found for spamgourmet.

It might be worth following the ARC developers mailing list [ ], or even contributing.

For anyone wondering what ARC is, this is a good explainer: ... english-2/

The site is pretty bullish about ARC being implemented

Status of ARC

If you are a mailbox provider or mailing list operator, it is time to begin planning your ARC implementation.

The Authenticated Received Chain, or ARC, was adopted as an official work item of the IETF DMARC Working Group in June 2016, and the specification was last updated in September 2017. (Or check for more recent activity at this IETF page.)

AOL and Google are already validating messages they receive with ARC headers, code libraries and a test suite are freely available, one commercial MTA already includes ARC support, and patches for popular mailing list managers (MLMs) will be released shortly (October 2017). Links to these items are available on our Resources page.

I run my spamgourmet account with with 'reply address masking' turned on, which means that a large proportion of my inbound and outbound email goes via spamgourmet's servers. I felt a bit guilty about that at first, as I don't really like to add to the the load unnecessarily, but I've got used to it. Using ARC might mean that reply address masking will need to become the default mode of operation for everyone, if I understand things correctly. I admit my understanding is very limited.