There is also more simple scenario if there is an internal mailing list within the same domain. Message is signed by sender and by mailing list software. First signature is broken because message is modified. It's exactly what happens on this mailing list. If somebody writes to [email protected] message has two signatures: broken one added by sender and valid one added by mailing list.
More possible scenarios are antiviral software and/content filters, which modify message subject/body and re-apply DKIM. Roland Turner via dmarc-discuss пишет: > Here's a scenario, although it's a little contrived: > > - two people in your organisation are subscribed to an external mailing list > - one posts to the list, the post is DKIM signed but the list's addition of a > footer breaks the signature > - that message goes to the second subscriber within your organisation > - that second person is [MTA-]forwarding messages to Gmail > - the forwarded copy gets another DKIM signature on it > - the message reaching Gmail has both the original signature, broken by the > list's changes, and the second signature, still valid > > I'm not saying that this is what's going on (one or several of the above > might be invalid in your situation, or even generally), but wish merely to > demonstrate that forwarding and forwarding-like actions can create rather > complicated situations that are difficult to diagnose. The question is not > whether the above scenario is what's happening, but whether any combination > of forwarding, list expansion, legitimate independent sending, ... is causing > what you're seeing. > > - Roland > > > Roland Turner | Labs Director > Singapore | M: +65 96700022 > [email protected] > > > > ________________________________________ > From: dmarc-discuss <[email protected]> on behalf of The Venus > Project via dmarc-discuss <[email protected]> > Sent: Tuesday, 8 September 2015 04:47 > To: Vladimir Dubrovin; [email protected] > Subject: Re: [dmarc-discuss] Two DKIM sections in the DMARC report from Google > > Good idea, Vladimir. > > I just set up a forward to my gmail address and sent a message to it. > Here are the headers from that: http://pastebin.com/qRMPAbjX > > As I can see, there is only one DKIM signature. > > I'm still trying to see whether in some situations our emails get DKIM > signed twice. It seems like the forwarding is not such a case, at least > from this test that I did. > > Regards, > Borislav > > > On 9/6/2015 1:01 AM, Vladimir Dubrovin wrote: >> >> May be, you have two DKIM-Signature fields in the message for some >> cases, e.g. redirected/auto-forwarded messages? >> >> The Venus Project via dmarc-discuss пишет: >>> Hi, >>> >>> I see something strange in the DMARC reports that we're getting from >>> Google. Here is the relevant section from the XML file: >>> >>> <record> >>> <row> >>> <source_ip>109.73.224.155</source_ip> >>> <count>10</count> >>> <policy_evaluated> >>> <disposition>none</disposition> >>> <dkim>pass</dkim> >>> <spf>pass</spf> >>> </policy_evaluated> >>> </row> >>> <identifiers> >>> <header_from>thevenusproject.com</header_from> >>> </identifiers> >>> <auth_results> >>> <dkim> >>> <domain>thevenusproject.com</domain> >>> <result>pass</result> >>> </dkim> >>> <dkim> >>> <domain>thevenusproject.com</domain> >>> <result>fail</result> >>> </dkim> >>> <spf> >>> <domain>thevenusproject.com</domain> >>> <result>pass</result> >>> </spf> >>> </auth_results> >>> </record> >>> >>> >>> >>> As you can see, it seems to check DKIM two times - one time it passes >>> and one time it fails. I am kinda baffled by this. There is only one >>> DKIM section in the reports that we're getting from Microsoft and Yahoo. >>> Also, we have only one DKIM DNS record set up for thevenusproject.com. >>> >>> Does anyone have any idea why this double checking of DKIM (with >>> different results) is happening with Google? >>> >>> Thanks in advance, >>> Borislav >>> >>> _______________________________________________ >>> dmarc-discuss mailing list >>> [email protected] >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >>> NOTE: Participating in this list means you agree to the DMARC Note Well >>> terms (http://www.dmarc.org/note_well.html) >> > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) > -- Владимир Дубровин Руководитель службы тестирования @Mail.Ru _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
