DMARC status sometimes not shown when it should be

[N0T3P4D]

Hi,

I have the curious case of multiple messages from the same sender received within the same hour where some show "DMARC: pass" and some do not (they only show the DKIM information). According to the DMARC milter from my server and its appended header, everything seems to be in order. Looking at the message header, I cannot see any obvious difference which would explain the behaviour. If you need further information, please tell me.

N0T3P4D

[lieser]

Could you please provide me with the Authentication-Results header of an e-mail which does not show the expected DMARC result? If you don't want to make the header public, you can sent it to dkim.verifier.addon@gmail.com instead of posting it an github.

[N0T3P4D]

I've taken the ilberty to replace my mailserver name:
Authentication-Results: x.y.de; dmarc=pass header.from=mailbox.org
Authentication-Results: x.y.de; dkim=pass

[lieser]

I just tested it with the provided headers and could not reproduce the problem. The DMARC result is shown for me.
Are the e-mails maybe in different accounts, and you have not enabled the reading of the Authentication-Results header for all?
Are any errors shown in the Error Console (Thunderbird menu > Tools > Error Console)?

[N0T3P4D]

The mails are in the same account. The Error Console has errors, but nothing obviously related to dkim_verifier. Clearing the errors and opening the problematic messages again does not produce any entries. I've tried setting the reading of the authentication headers both to on and off but the problem persists.

[lieser]

Do you have a problematic e-mail that you wouldn't mind sharing? If not, could you send to me at least the unmodified headers?

[N0T3P4D]

I've mailed you the problematic email. WIth debugging enabled in the addon settings, I get the following messages in the error console:
Working:
2016-06-22 21:58:38 DKIM_Verifier.AuthVerifier DEBUG AuthResult result found: {"version":"2.0","dkim":[{"version":"2.0","result":"SUCCESS","warnings":[],"sdid":"mailbox.org","auid":"@mailbox.org","res_num":10,"result_str":"Valid (Signed by mailbox.org)","warnings_str":[]}],"spf":[],"dmarc":[{"method":"dmarc","result":"pass","propertys":{"smtp":{},"header":{"from":"mailbox.org"},"body":{},"policy":{}}}]}
Not working:
2016-06-22 21:58:42 DKIM_Verifier.AuthVerifier DEBUG AuthResult result found: {"version":"2.0","dkim":[{"version":"1.0","result":"SUCCESS","sdid":"mailbox.org","auid":"@mailbox.org","selector":"mail20150812","warnings":[],"keySecure":true,"res_num":10,"result_str":"Valid (Signed by mailbox.org)","warnings_str":[]}]}

Again, changing the header settings does not seem to make any difference there either.

[lieser]

Thanks for the e-mail, I can now reproduce the issue. The problem is a parsing error of the Authentication-Results header containing the result of the DKIM signature. I will look into it in a few days, to see if it is a bug in the add-on or an invalid header.

The reason you don't see any error message in the Error Console is because you have enabled the saving of the Verification result. The messages you see are only the loading of the saved result. You can force the start of a new verification in the "Other Actions" menu (in the german localization "Mehr") in the header.

[N0T3P4D]

Thanks a lot! If you mean "Reverify DKIM signature", that does not seem to trigger a DMARC update. However, the following error appears: Timestamp: 06/22/16 22:21:36
Error: 2016-06-22 22:21:36 DKIM_Verifier.AuthVerifier ERROR Error: Parsing error (resource://dkim_verifier/ARHParser.jsm:253:1) JS Stack trace: match@ARHParser.jsm:253:1 < parseResinfo@ARHParser.jsm:188:14 < _ARHParser_parse@ARHParser.jsm:162:21 < getARHResult@AuthVerifier.jsm:196:10 < _authVerifier_verify/promise<@AuthVerifier.jsm:103:17

Source File: resource://gre/modules/Log.jsm
Line: 751

[lieser]

Yes, that's the same error I see. Because of this error the reading of the result form the Authentication-Results header fails, and the add-on does it's own verification. Because the add-on can at the moment only verify DKIM (and not SPF and DMARC), you then only see the DKIM result.

I just looked a bit closer at the header, and it seems to be the same problem as in #49 (an error in openDKIM). If you have control over the server, you could try setting the NoHeaderB value in opendkim.conf until the fixed version is used.

[N0T3P4D]

Thanks, will do!

[lieser]

In case this is still an issue for you: The new pre release v2.0.0pre4 has now an advanced option for relaxed parsing of the ARH.