Here's a scenario, although it's a little contrived:
- two people in your organisation are subscribed to an external mailing list
- one posts to the list, the post is DKIM signed but the list's addition of a
footer breaks the signature
- that message goes to the second subscriber within your organisation
- that second person is [MTA-]forwarding messages to Gmail
- the forwarded copy gets another DKIM signature on it
- the message reaching Gmail has both the original signature, broken by the
list's changes, and the second signature, still valid
I'm not saying that this is what's going on (one or several of the above might
be invalid in your situation, or even generally), but wish merely to
demonstrate that forwarding and forwarding-like actions can create rather
complicated situations that are difficult to diagnose. The question is not
whether the above scenario is what's happening, but whether any combination of
forwarding, list expansion, legitimate independent sending, ... is causing what
you're seeing.
- Roland
Roland Turner | Labs Director
Singapore | M: +65 96700022
[email protected]
________________________________________
From: dmarc-discuss <[email protected]> on behalf of The Venus
Project via dmarc-discuss <[email protected]>
Sent: Tuesday, 8 September 2015 04:47
To: Vladimir Dubrovin; [email protected]
Subject: Re: [dmarc-discuss] Two DKIM sections in the DMARC report from Google
Good idea, Vladimir.
I just set up a forward to my gmail address and sent a message to it.
Here are the headers from that: http://pastebin.com/qRMPAbjX
As I can see, there is only one DKIM signature.
I'm still trying to see whether in some situations our emails get DKIM
signed twice. It seems like the forwarding is not such a case, at least
from this test that I did.
Regards,
Borislav
On 9/6/2015 1:01 AM, Vladimir Dubrovin wrote:
>
> May be, you have two DKIM-Signature fields in the message for some
> cases, e.g. redirected/auto-forwarded messages?
>
> The Venus Project via dmarc-discuss пишет:
>> Hi,
>>
>> I see something strange in the DMARC reports that we're getting from
>> Google. Here is the relevant section from the XML file:
>>
>> <record>
>> <row>
>> <source_ip>109.73.224.155</source_ip>
>> <count>10</count>
>> <policy_evaluated>
>> <disposition>none</disposition>
>> <dkim>pass</dkim>
>> <spf>pass</spf>
>> </policy_evaluated>
>> </row>
>> <identifiers>
>> <header_from>thevenusproject.com</header_from>
>> </identifiers>
>> <auth_results>
>> <dkim>
>> <domain>thevenusproject.com</domain>
>> <result>pass</result>
>> </dkim>
>> <dkim>
>> <domain>thevenusproject.com</domain>
>> <result>fail</result>
>> </dkim>
>> <spf>
>> <domain>thevenusproject.com</domain>
>> <result>pass</result>
>> </spf>
>> </auth_results>
>> </record>
>>
>>
>>
>> As you can see, it seems to check DKIM two times - one time it passes
>> and one time it fails. I am kinda baffled by this. There is only one
>> DKIM section in the reports that we're getting from Microsoft and Yahoo.
>> Also, we have only one DKIM DNS record set up for thevenusproject.com.
>>
>> Does anyone have any idea why this double checking of DKIM (with
>> different results) is happening with Google?
>>
>> Thanks in advance,
>> Borislav
>>
>> _______________________________________________
>> dmarc-discuss mailing list
>> [email protected]
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
