Menu
Reply
Highlighted
  • 17.75K
  • 971
  • 7.39K
Very Insightful Person
Very Insightful Person
340 Views
Message 1 of 4
Flag for a moderator

Outlook.com Breaks DKIM

This is more an informational post than a question for the Forum Team.

I was having a play with mail forwarding from my outlook.com address to my blueyonder address, when sending an email from my personal server.

The actual purpose was to demonstrate how DKIM survives forwarding.  Except in this case it didn't

Instead it provides a perfect example of how poor design can actually end up causing problems.

Internet standards are handled by a set of documents called RFC's.  Of particular interest here is RFC5322, which is the latest version of the SMTP standard and RFC6376 which is the latest version of DKIM.

RFC5322 states that an email server MUST NOT alter the email in any way, except to add trace headers to the beginning of the mail.  (Which is why when tracing the path an email has taken, you read from the bottom most received: line upwards).  So the actual body and the original headers should be unaltered between the time the email is sent, and the time it is received. 

DKIM signs the mail with a cryptographic signature and also provides a check that the body and some of the original  headers haven't been changed.  If there are any changes then the DKIM check will fail.

Outlook.com accepted my mail but when the mail was forwarded on to my Blueyonder.co.uk address Virgin Media rejected the mail.

This could have been confusing, had I not known what was happening as the bounce mail came from postmaster@outlook.com

The error read

 

mx8.mnd.ukmail.iss.as9143.net rejected your message to the following email addresses:

 

<recipient>@blueyonder.co.uk

Email address above masked by me

There's a problem with the recipient's mailbox. Please try resending the message. If the problem continues, please contact your email admin.

mx8.mnd.ukmail.iss.as9143.net gave this error:
MXIN603 DMARC validation failed. ;id=oVHnghkZgWBpwoVHngfUFa;sid=oVHnghkZgWBpw;mta=mx8.mnd;d=20190129;t=162652[CET];ipsrc=104.47.2.59; 

So had I not known what was happening I would have thought of this as a spoof mail.  As it was when I looked at the authentication results in the email headers

 

Authentication-Results: spf=pass (sender IP is 77.68.89.100)
 smtp.mailfrom=timothydutton.co.uk; outlook.com; dkim=pass (signature was
 verified) header.d=timothydutton.co.uk;outlook.com; dmarc=pass action=none
 header.from=timothydutton.co.uk;
Received-SPF: Pass (protection.outlook.com: domain of timothydutton.co.uk
 designates 77.68.89.100 as permitted sender) receiver=protection.outlook.com;
 client-ip=77.68.89.100; helo=box.timothydutton.co.uk;

We see a DKIM pass and a DMARC pass.

 

So Virgin Media got it wrong then?  In this case they didn't.

Because I had the original sent mail & the copy on outlook.com's servers, I took a closer look.  I just decided to look at the mail bodies and compare them.

Here's the start of the original:

 

This is a multi-part message in MIME format.
--=_5226908e44ebc0462f06052400644d2f
Content-Type: multipart/alternative;
 boundary="=_926d2a45bc543e1972443c87118fa61a"

--=_926d2a45bc543e1972443c87118fa61a
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=utf-8

SGF2aW5nIGFub3RoZXIgZ28gYXQgZm9yd2FyZGluZyBhbiBlbWFpbCB2aWEgT3V0bG9vay4NCg0K
DQo=
--=_926d2a45bc543e1972443c87118fa61a
Content-Transfer-Encoding: base64
Content-Type: text/html; charset=utf-8

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PE1FVEEgSFRUUC1FUVVJVj0iQ29udGVudC1UeXBlIiBDT05U

And here's the start of the source on Outlook.com

 

 

--=_5226908e44ebc0462f06052400644d2f
Content-Type: multipart/alternative;
boundary="=_926d2a45bc543e1972443c87118fa61a"

--=_926d2a45bc543e1972443c87118fa61a
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"

SGF2aW5nIGFub3RoZXIgZ28gYXQgZm9yd2FyZGluZyBhbiBlbWFpbCB2aWEgT3V0bG9vay4NCg0K
DQo=
--=_926d2a45bc543e1972443c87118fa61a
Content-Transfer-Encoding: base64
Content-Type: text/html; charset="utf-8"

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNv

Straight away we see the MIME preamble is missing from the second body.

 

We also see the removal of whitespace before boundary and the addition of speech marks around the content encoding type:

 

charset=utf-8

becomes

 

 

charset="utf-8"

The base 64 encoded HTML also shows changes although it's not immediately obvious, but if you look at the last  characters shown.

iBDT05U

becomes

 

 

GUiIGNv

Now provided Microsoft sent the ORIGINAL version on  before changing andstoring it, it wouldn't be too bad, as the original would have passed DKIM.  But from what I can tell, they didn't, they sent it on AFTER they'd changed it.  Because of this Virgin Media followed what was my DMARC policy at the time and rejected my mail.

This issues can be nasty to solve because to spot what's happening, you need to compare the two versions of the email.  If you only have one version, you can't compare the two, hence the wrong server gets blamed for the rejection.

Note:  Google too have their own issues on the business servers.  I've seen them add disclaimers to mails before forwarding the message on.  Again DKIM gets broken and it's the final destination that gets blamed.

I have opened up a post on Microsoft's help forums.  Lets see what they say.

Tim

 

 

 

 

 

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

  • 17.75K
  • 971
  • 7.39K
Very Insightful Person
Very Insightful Person
285 Views
Message 2 of 4
Flag for a moderator

Re: Outlook.com Breaks DKIM

Correction - The SMTP RFC is RFC 5321.

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
  • 9.96K
  • 1.1K
  • 4.74K
Very Insightful Person
Very Insightful Person
281 Views
Message 3 of 4
Flag for a moderator

Re: Outlook.com Breaks DKIM

I'm extremely interested in this issue/thread because I regularly exchange mail between my VM address and my Outlook.com address and vice-versa. But being the sort of "unsophisticated" user I am I don't have my own e-mail server so I suppose I would never see this problem. In fact I never have.

But it is important to those of us helping on the Forum to understand this kind of issue (as with the Google equivalent issue), at least to acknowledge its existence. I'd happily follow the MS thread you have started if you posted the URL. I am already a member of the Outlook board but haven't seen it there (mind you I haven't looked beyond the first page - mea culpa).

Well done for testing it out.



As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped



0 Kudos
Reply
  • 17.75K
  • 971
  • 7.39K
Very Insightful Person
Very Insightful Person
273 Views
Message 4 of 4
Flag for a moderator

Re: Outlook.com Breaks DKIM

To be honest it's only an issue when using auto-forwarding from the Outlook address to another address.

I've also found that Outlook.com doesn't change every mail, I'm actually using Mail In a Box which includes Z-Push to provide the server with MAPI functionality.  In fact I can set up the account as an Exchange/ActiveSync server and Outllok 2016 will also link the Calendar and Contacts for the user account in the same way that a genuine Microsoft Exchange server does.

The changes Outlook.com makes don't actually affect how the mail appears charset=utf-8 is exactly the same as charset="utf-8" to Outlook (In fact it was Outlook that chose the first form when composing the mail)  When communicating with an Exchange server Outlook annoyingly has an algorithm that will default to sending the mail using Base64 in based on the content of the mail.

I originally said that I'm ok with Outlook altering the mail once they've authenticated it.  On second thoughts I'm not.  After all if they can make a seemingly mundane alteration, what's to stop them making a more overt one in between the time the mail was received and the time it was stored in your mailbox.

I was advised in the thread to report it using the Microsoft Feedback Tool.  I'm debating whether I should ask the Register to look into this and ask Microsoft why they are changing my mail.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply