Bug 7775

Summary: DKIM plugin: add recognition of Authentication-Results header
Product: Spamassassin Reporter: Amir Caspi <cepheid>
Component: PluginsAssignee: SpamAssassin Developer Mailing List <dev>
Severity: normal CC: apache, cepheid
Priority: P2    
Version: 3.4.2   
Target Milestone: Undefined   
Hardware: All   
OS: All   

Description Amir Caspi 2019-11-21 14:56:28 UTC
(Submitted per request from KAM)

Request to update DKIM plugin to enable recognition/use of Authentication-Results header from MTA-level DKIM milters.

Many users run DKIM authentication (e.g., opendkim) in their MTA, but SA does not currently use these results and instead validates DKIM internally.  This duplicates processing unnecessarily, and also can cause issues if the mail headers or body are modified by some utility (e.g., MailScanner) prior to getting to SA.

Using the Authentication-Results header output from DKIM milters (e.g., opendkim) would reduce SA processing and allow recognition of valid DKIM even if a downline (trusted!) program may modify the message en route between MTA and SA prior to final delivery.

Example headers from opendkim:

Received: from some.domain.com (some.domain.com [])
	by mta.myhost.com (8.14.7/8.14.7) with ESMTP id xAKDWAi3031360
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
	for <user@myhost.com>; Wed, 20 Nov 2019 13:32:12 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 mta.myhost.com xAKDWAi3031360
Authentication-Results: mta.myhost.com;
	dkim=pass (2048-bit key) header.d=domain.com header.i=@domain.com header.b="lsRKcc5K"

So, a header rule that looks for "dkim=pass" in Authentication-Results, with verification server (first FQDN in the header) matching the user domain, should result in DKIM_VALID; if header.d and/or header.i match sender domain then DKIM_VALID_EF or _AU.

AFAICT the Authentication-Results header is inserted immediately below the Received header where DKIM validation is performed, which should be either last_received or in trusted_networks.  Therefore, to prevent spammer spoofing of this header, require that validation server (first FQDN in the header) matches the receiving host in immediately preceding Received line, and require that this host is either last_received or in trusted_networks.

Happy to provide additional header examples, and/or to help with rule generation, if desired.
Comment 1 Henrik Krohns 2019-11-21 15:13:37 UTC
There's already Bug 6918 for this.

*** This bug has been marked as a duplicate of bug 6918 ***