TL;DR: See title. How can I tell Google they’re probably processing their mail wrong?
After setting up the Matrix Authentication Service (MAS) and exim-relay as mail server, I noticed verification mails sent from the service are often in the spam directory.
When digging deeper, I found out the mails are failing DKIM authentication. This was weird because DKIM is set up correctly, as verified by other mail providers and online DKIM test tools such as DMARC Tester.
Searching online for “gmail fails DKIM authentication, while other providers pass”, I found regular reports, posts or similar without resolution, or unrelated resolutions such as DKIM alignment.
Using meld, I compared the original source of mails as received by gmail with those of other providers, and found a difference:
In other providers, the header for “From:” and “Reply-To:” fields are presented with double-quotes:
From: "John Smith" <j.smith@example.com>
Reply-To: "John Smith" <j.smith@example.com>
In gmail, where DKIM fails, there are no double-quotes:
From: John Smith <j.smith@example.com>
Reply-To: John Smith <j.smith@example.com>
As this should be the raw source each, I ruled out presentation issues and digged deeper.
I found out, that specifically the rust crate lettre, as used by the MAS, encodes names with whitespace using double-quotes. Further, from researching a bit more and reading RFC 2822 sections 3.2.4 and 3.2.5, I come to the conclusion that whitespace needs no quoting in mail headers.
I created issues upstream and downstream to report the issue at lettre and MAS, particularly that their mails are failing DKIM checks at gmail:
- https://github.com/lettre/lettre/issues/1125
- https://github.com/element-hq/matrix-authentication-service/issues/5497
If you’ve read that far, you probably wonder why I post all of that? For one, to provide another data point for people scratching their heads over mail issues.
But other than that: I’m pretty sure the google mail servers should not strip the quotes before doing the DKIM check. I assume they have some kind of decode -> process -> encode workflow, that then simply encodes the headers again, this time without the quotes. But IMHO a correctly signed message should not lead to an authentication error, even if the contents are not perfectly encoded.
I would be curious on getting some feedback from some mail experts on what is happening here. This is not my field of expertise and I’m going by what I’ve learned over the past 48h.
Wait, so when you download what is supposed to be the original email from Gmail, it’s not actually the original? How is that ok?
Usually, the important parts of the mail, such as subject, sender and contents are protected by DKIM authentication. Unfortunately this is usually not visible to the end-user, i.e. as in my case, where mails fail DKIM, but are still presented in my inbox.
Mail servers and relays add headers to the mail as it goes, for example their own IPs to trace the mail, or authentication results if authentication happens at various endpoints.
In the end, the mail as in the gmail postbox is the result of the original mail, and all these additions of the mail relays. In an ideal world only DKIM authenticated would be presented to the end-user, but the world of mail seems to be so broken, that many sending servers just do not apply DKIM/DMARC correctly, and thus many receivers accept broken mail.
Yeah, I understand how the mail that Gmail receives is not necessarily the mail that the user sent (in regards to headers), and I understand Gmail can add headers (like auth results, spam scores, other sorts of records), but is Gmail really changing the “From” header or other headers included in the DKIM signature?? I would think that would be absolutely unacceptable.
Yes, it seems it does that. I assume it has some processing chain involving decode -> process -> encode of the whole mail, and usually that works out and the DKIM check passes. Apparantly, if you send something non-standard the decode and encode are not symmetrical and this happens. IMHO it shouldn’t, so I agree. Especially, showing users mails with broken authentication seems broken as well to me.
Quotes around the display name in a header certainly conforms to the standard (and in fact, the way Gmail rewrites it does not conform to the standard when it contains a space, but is the obsolete form), and I would expect any decent mail program to leave it alone. Then again, Gmail is not a decent mail program, and hasn’t been for a long time.