Re: DKIM verification failures due to message body change when using HTML email

From: Murray S. Kucherawy <>
Date: Mon, 3 Dec 2012 11:09:13 -0800 (PST)

On Mon, 3 Dec 2012, Quanah Gibson-Mount wrote:
> where it looks like someone found an issue with mail using HTML that is
> signed by OpenDKIM. Is this a bug on the OpenDKIM side or in the Amavis
> verification side of things?

Generally speaking, neither the filter nor the library know anything about
the format of the content being signed or verified. HTML is the same as
any other content, even binary.

Further, the filter itself never changes the content passing through the
MTA. In fact, it's not capable of doing so (even though milter is capable
of it) because it neither makes the call nor does it negotiate for that
permission from the MTA.

The only things that leap to mind are canonicalization issues, which would
be related to the way the content was provided to the filter and/or the
library and not related to the format being used.

The same canonicalization and hash generation code is used during signing
and verifying, so processing is symmetric.

I'm inclined to think some agent positioned between the signer and the
verifier is doing something funky with HTML email.

Received on Mon Dec 03 2012 - 19:09:29 PST

This archive was generated by hypermail 2.3.0 : Mon Dec 03 2012 - 19:18:00 PST