My current guess is that is causing the DKIM check failure (also, I am
pretty sure that the rewritten email address is invalid). And this
happens with the sending from the GMail web interface, right? If that's
the case I believe the problem is at Stanford. I'll wait until I see
your headers, but if that's the case then maybe your best bet is to
complain to the people at Stanford (or get your Stanford contacts to
complain to them).
So, I took at the original message Bob was kind enough to send me, and
with a close reading of RFC 6376 here's what I found:
- Certain headers (and the body!) of the message are being mangled.
Specifically, the Message-ID, From, Originator, To, Cc, Reply-to,
In-Reply-To, and References header are being mangled. The mangling
is of the form:
Mister Foo Bar <foo(_at_)bar(_dot_)com>
turns into:
Mister Foo Bar <foo(_at_)bar(_dot_)com <foo(_at_)bar(_dot_)com>>
And you get things like:
<random-message-id-string(_at_)gmail(_dot_)com>
turning into:
<random-message-id-string(_at_)gmail(_dot_)com
<random-message-id-string(_at_)gmail(_dot_)com>>
And like I said, this happens in the body as well.
Stuff that looks like a domain name in other headers gets turned into
a URL, e.g.:
DKIM-Signature: [...] d=gmail.com; [...]
turns into:
DKIM-Signature: [...] d=gmail.com <http://gmail.com>; [...]
- The current message body, as given to me, does not pass the DKIM signature
after it's been canonicalized. However, if you unmangle it then then
DOES pass the DKIM body signature (as specified in the "bh" parameter
of the DKIM-Signature header). In this case the body had an email address
in it and the mangling screwed up the signature.
- I tried verifying the DKIM signature of the headers after fixing them up,
but I couldn't. This is kind of complicated and easy to get wrong, so
I decided I didn't want to bother; I am sure that the mangling done here
was causing the DKIM signature to fail.
I have a hard time believing that Google is mangling email in such a way,
but then again I would have had a hard time believing that Stanford would
be mangling email in such a way. Since the DKIM hash of the body is
correct if it's unmangled, I am pretty sure the problem is at Stanford's
end. Why this is happening, I have no idea. I think you'll have to pursue
this with Stanford (or get one of your correspondents to do that).
--Ken
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers