On 10/05/2014 08:47 PM, A. Schulze wrote: >> Do you have a so-called security appliance in the path? Many have >> a history of tampering with email. > >> Do you have other anti-spam software in the path that modifies >> mail headers such as X-Spam:? > > To be complete: there is an easy way to invalidate DKIM-Signatures: > don't announce SMTP extension 8BITMIME ... > That way the sender must recode this destroy the signature. Most MTA > do that recode just before transmission. So it's likely to occur /after/ > signing the message.
That's why email should be downgraded to 7 bit before creating the DKIM-Signature. From http://www.ietf.org/rfc/rfc4871.txt: 5.3. Normalize the Message to Prevent Transport Conversions Some messages, particularly those using 8-bit characters, are subject to modification during transit, notably conversion to 7-bit form. Such conversions will break DKIM signatures. In order to minimize the chances of such breakage, signers SHOULD convert the message to a suitable MIME content transfer encoding such as quoted-printable or base64 as described in MIME Part One [RFC2045] before signing. Kind regards, Martijn Brinkers -- CipherMail email encryption Open source email encryption gateway with support for S/MIME, OpenPGP and PDF messaging. http://www.ciphermail.com Twitter: http://twitter.com/CipherMail
