Dkim verification fails

[unosbaghaie]

Hi

I use Mimekit to sign my messages. When subject and body are English text. Dkim is being passed but when subject or body is Farsi Dkim fails .

Any clue or hint to solve it
Thanks

[jstedfast]

You'll have to provide me with examples so I can see what is going wrong.

Does MimeKit fail to verify them? Or is it some other program that fails to verify them? Which program? Is it before or after the message has been sent? etc.

[unosbaghaie]

with the following code :

                        #region [initialize the message]
                        var message = new MimeMessage();
                        message.From.Add(new MailboxAddress("", _message.From.Address));
                        message.To.Add(new MailboxAddress("", email.Key));
                        message.Subject = _message.Subject;

                        var builder = new BodyBuilder();
                        var plainText = ConvertHtml(_message.Body);

                        builder.TextBody = " تست  ";
                        builder.HtmlBody = "  <div> تست </div> ";
                        message.Body = builder.ToMessageBody();


                        #endregion

                        using (var client = new MailKit.Net.Smtp.SmtpClient())
                        {

                            #region [Smtp]

                            client.Connect(_smtpConfiguration.SmtpInfo.Host, _smtpConfiguration.Port, MailKit.Security.SecureSocketOptions.None);
                            client.Authenticate(_smtpConfiguration.Username, _smtpConfiguration.Password);

                            #endregion

                            #region [Sign the message]
                            var dkimSigner = new MimeKit.Cryptography.DkimSigner("key\\myDomain.pem", "myDomain.info", "selector");
                            List<HeaderId> headersToSign = new List<HeaderId>() { HeaderId.From, HeaderId.To };
                            message.Sign(dkimSigner, headersToSign, DkimCanonicalizationAlgorithm.Relaxed, DkimCanonicalizationAlgorithm.Relaxed);

                            #endregion

                            #region [Send]
                            var t = client.SendAsync(message);
                            t.Wait();
                            t.ContinueWith((tt) =>
                                {
                                    if (!tt.IsFaulted)
                                    {
                                               OnSendComplete(null, null, email.Key, email.Value, "");
                                    }
                                });
                            client.Disconnect(true);
                            #endregion
                        }

after I sent the message to gmail I get the below text :

Delivered-To: unos.bm65@gmail.com
Received: by 10.25.215.149 with SMTP id q21csp593858lfi;
        Sat, 11 Jun 2016 09:00:16 -0700 (PDT)
X-Received: by 10.28.153.6 with SMTP id b6mr2040981wme.56.1465660816279;
        Sat, 11 Jun 2016 09:00:16 -0700 (PDT)
Return-Path: <info@myDomaijn.info>
Received: from cp.serverreseller.net (cp.serverreseller.net. [[My Domain IP]])
        by mx.google.com with ESMTPS id n129si5337835wmn.117.2016.06.11.09.00.16
        for <unos.bm65@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 11 Jun 2016 09:00:16 -0700 (PDT)
Received-SPF: permerror (google.com: permanent error in processing during lookup of info@myDomaijn.info: spf.inbox.ir not found) client-ip=[My Domain IP];
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@myDomaijn.info;
       spf=permerror (google.com: permanent error in processing during lookup of info@myDomaijn.info: spf.inbox.ir not found) smtp.mailfrom=info@myDomaijn.info
Received: from [91.98.96.186]
    by cp.serverreseller.net with esmtpa (Exim 4.87)
    (envelope-from <info@myDomaijn.info>)
    id 1bBlJi-0005by-PJ
    for unos.bm65@gmail.com; Sat, 11 Jun 2016 15:59:23 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=myDomain.info; s=selector;
    c=relaxed/relaxed; t=1465660802; h=from:to;
    bh=AueRO1S3lMD4LzlNa3I3OZ6TXQTepLapaG0X1E6KMro=;
    b=BAwQ7qQZL4IgVZlSgkeuv+Gg2Db0MeTJnjGP5Zw2JHC2pkjQK5AhT+V9qcWHkLPS3erpMAZNOt9
    XkHVno7MgnzeGdlo8pscZQbq6viaKtyoCm0VE3g7iMEOhutHJSoF/0zBpH1x1UYa1wU+ci+jTC2Ue
    ez6BeU4RkamH4tCURbvhtmf5cwxTC0hrjVBt5O+Tmyho33WKQjJVv4G7Vc0OfsHizIOFgdOcBIq37
    RSM0J7s2MnmSp2G4ELTO24fAwaWFejWEGJos7X5X3sdeDRTBBgrYD0w2FvP7Ir5oBoK0DapN/AKj7
    X8bcVN0ETCGKWOo6S0bCbZVEeIwhf2vX5fTg==
From: info@myDomaijn.info
Date: Sat, 11 Jun 2016 20:30:01 +0430
Subject: =?utf-8?b?2KfYsdiz2KfZhA==?= Smtp
Message-Id: <9171296PFYT4.PFQ2GDDYVEH1@WIN-NLK2NU95VLS>
To: unos.bm65@gmail.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-rHxeNdN7M36fqQdjMCha4Q=="
X-DKIM: signer='myDomaijn.info' status='fail' reason='bodyhash_mismatch'
DKIMCheck: Server failed DKIM test, 100 Spam score
X-Authenticated-Id: inbox@serverreseller.net

--=-rHxeNdN7M36fqQdjMCha4Q==
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

 تست  

--=-rHxeNdN7M36fqQdjMCha4Q==
Content-Type: text/html; charset=utf-8
Content-Id: <3D4M296PFYT4.VUCUISQRK8981@WIN-NLK2NU95VLS>

  <div> test </div> 
--=-rHxeNdN7M36fqQdjMCha4Q==--

but I didn't verify the message with mimekit!!
actually, this message if the text and body were english text, it would be passed.

[jstedfast]

The problem seems to be that your mail server is modifying the message.

Look at this. In your code, you set the HTML message body to this:

builder.HtmlBody = "  <div> تست </div> ";

But when it arrives, it looks like this:

  <div> test </div> 

The mail server is also setting a Content-Id header which changes the body hash as well.

[unosbaghaie]

oh my bad dear

the below code is the result of that c# code :

Delivered-To: unos.bm65@gmail.com
Received: by 10.25.215.149 with SMTP id q21csp642289lfi;
        Sat, 11 Jun 2016 11:59:11 -0700 (PDT)
X-Received: by 10.28.153.6 with SMTP id b6mr2493908wme.56.1465671551126;
        Sat, 11 Jun 2016 11:59:11 -0700 (PDT)
Return-Path: <info@myDomain.info>
Received: from cp.serverreseller.net (cp.serverreseller.net. [[myDomain IP]])
        by mx.google.com with ESMTPS id jx9si20931092wjb.53.2016.06.11.11.59.10
        for <unos.bm65@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 11 Jun 2016 11:59:11 -0700 (PDT)
Received-SPF: permerror (google.com: permanent error in processing during lookup of info@myDomain.info: spf.inbox.ir not found) client-ip=[myDomain IP];
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@myDomain.info;
       spf=permerror (google.com: permanent error in processing during lookup of info@myDomain.info: spf.inbox.ir not found) smtp.mailfrom=info@myDomain.info
Received: from [91.98.96.186]
    by cp.serverreseller.net with esmtpa (Exim 4.87)
    (envelope-from <info@myDomain.info>)
    id 1bBo6r-0005j2-4I
    for unos.bm65@gmail.com; Sat, 11 Jun 2016 18:58:17 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=myDomain.info; s=inboxir;
    c=relaxed/relaxed; t=1465671522; h=from:to;
    bh=pN4o/pwZLrK075E38Ao6AZm7EZJqT66hZtUj/3ylWNw=;
    b=AYGXl2fIfKoojhdNdt65iHH3WMTP1dNPSjY7hIYXbFgVNZ38dBUM+cW9QANqfm91ThPEYdpPR3O
    hTvCgLnmxbFUNlNfSaAvM206StKn5jiq+uuD2koHjI/Ax6a+m0TkWaOXw4TXHZ4GRoJKpAE9qMbbC
    yCOuDAkVmpxLejmRpH0qoCSpxsCfhowCycQfQg5I1VSSM7ZS9+t4cX4ghHkUOgt3JWjUGPcAO+wmh
    drRYUut9f+MyqrQ6Eoa0vRy8hmWqhOIuNowr3GN5qW25o9100U0ItIo7rxp7wEngR4xc0OZIEJ5vM
    KSq6mdm+azlYHz7OJElvx5cgH7T/5hkD5r0Q==
From: info@myDomain.info
Date: Sat, 11 Jun 2016 23:28:41 +0430
Subject: =?utf-8?b?2KfYsdiz2KfZhA==?= Smtp
Message-Id: <NEG1VHJQFYT4.7TPWWX81HHVS1@WIN-NLK2NU95VLS>
To: unos.bm65@gmail.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-gRlL4C2TdzZnXQUTYlWxGg=="
X-DKIM: signer='myDomain.info' status='fail' reason='bodyhash_mismatch'
DKIMCheck: Server failed DKIM test, 100 Spam score
X-Authenticated-Id: inbox@serverreseller.net

--=-gRlL4C2TdzZnXQUTYlWxGg==
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

 تست  

--=-gRlL4C2TdzZnXQUTYlWxGg==
Content-Type: text/html; charset=utf-8
Content-Id: <6DGJVHJQFYT4.FG8J45K8M0AW2@WIN-NLK2NU95VLS>
Content-Transfer-Encoding: 8bit

  <div> تست </div>   // *

--=-gRlL4C2TdzZnXQUTYlWxGg==--

// * : Editor recognizes the Divs here and doesn't show them . in edit mode there are Divs but when I save it, Divs hide

[jstedfast]

You need to use 3 backticks, not 1 in order to get github to render raw text correctly.

[unosbaghaie]

You need to use 3 backticks, not 1 in order to get github to render raw text correctly.
sure I will .

now look at this one :

I used english text : test as subject and <div> test </div> as body
which it has content-Id but DKIM is passed
and the result is :

Delivered-To: unos.bm65@gmail.com
Received: by 10.25.215.149 with SMTP id q21csp645177lfi;
        Sat, 11 Jun 2016 12:08:32 -0700 (PDT)
X-Received: by 10.194.101.199 with SMTP id fi7mr8468652wjb.82.1465672112525;
        Sat, 11 Jun 2016 12:08:32 -0700 (PDT)
Return-Path: <info@myDomain.info>
Received: from cp.serverreseller.net (cp.serverreseller.net. [[myDomain IP]])
        by mx.google.com with ESMTPS id fm6si20944341wjb.89.2016.06.11.12.08.32
        for <unos.bm65@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 11 Jun 2016 12:08:32 -0700 (PDT)
Received-SPF: permerror (google.com: permanent error in processing during lookup of info@myDomain.info: spf.inbox.ir not found) client-ip=[myDomain IP];
Authentication-Results: mx.google.com;
       dkim=pass header.i=@myDomain.info;
       spf=permerror (google.com: permanent error in processing during lookup of info@myDomain.info: spf.inbox.ir not found) smtp.mailfrom=info@myDomain.info
Received: from [91.98.96.186]
    by cp.serverreseller.net with esmtpa (Exim 4.87)
    (envelope-from <info@myDomain.info>)
    id 1bBoFu-0005je-QA
    for unos.bm65@gmail.com; Sat, 11 Jun 2016 19:07:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=myDomain.info; s=inboxir;
    c=relaxed/relaxed; t=1465672099; h=from:to;
    bh=NTjn5BO/G/oCY94Vll5n17SR38b+24ZiMJ+iMbggKh4=;
    b=Mg1/cMZjHKrKIFyVHuHzasayVkmHCe/UKP+AS3ZPY/48t6YsYIIiRoaNfNJ5WCFAIvNF5+S5vGD
    KetnU1tWB+Yf0WLNh/PMBYR3ousLfoCXQGe99zAFMLDHV/aYFyMEk4u/MjMH0or9yOWs4wP0m8YIP
    r67r54ZaS9KmBHxFVVjwc5pttyT4uxMnsti8XCUM6xYspYZsn5WdIC0OIpAXtfv4iIhIMLcQUfOPi
    /U9z+qNnu5UeJS4Q/cEmhaJ78DPJY/EWrWpc4k7e3cHungt6dcBAKaoLqOvA0DXSbyZWjco74tnH1
    Gj11PIx6hu1Sn53Yu77Qd+nMeaTVPmg0l0GQ==
From: info@myDomain.info
Date: Sat, 11 Jun 2016 23:38:17 +0430
Subject: =?utf-8?b?2KfYsdiz2KfZhA==?= Smtp
Message-Id: <O19E85MQFYT4.QXJB4E7HDKTZ@WIN-NLK2NU95VLS>
To: unos.bm65@gmail.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-ki2s+wI/tn6z/Pet07fdtg=="
X-DKIM: signer='myDomain.info' status='pass' reason=''
DKIMCheck: Server passes DKIM test, -20 Spam score
X-Authenticated-Id: inbox@serverreseller.net

--=-ki2s+wI/tn6z/Pet07fdtg==
Content-Type: text/plain; charset=utf-8

 test  
--=-ki2s+wI/tn6z/Pet07fdtg==
Content-Type: text/html; charset=utf-8
Content-Id: <T4UV85MQFYT4.VGVEYK0W5P8Y2@WIN-NLK2NU95VLS>

```<div> test </div> ```
--=-ki2s+wI/tn6z/Pet07fdtg==--

[jstedfast]

Okay, so here's the problem.

I was actually wrong about the Content-Id header. MimeKit is adding that and since that is being set before the DKIM signature is being calculated, it's fine and nothing to worry about.

However, the signature is being generated before the Content-Transfer-Encoding header is being added by the SmtpClient.Send() method.

The problem is that the Content-Transfer-Encoding header cannot be set by MimeKit when constructing the message because it can't possibly know what the constraints are on the SMTP server (e.g. does it allow 8BITMIME or not?).

SmtpClient.Send() calls message.Body.Prepare (EncodingConstraint.EightBit); or message.Body.Prepare (EncodingConstraint.SevenBit); once it figures out the limitations of the SMTP server.

message.DkimSign() used to call message.Body.Prepare (EncodingConstraint.SevenBit); to force the message into 7bit mode (which is supported by all SMTP servers), however, some developers were using MimeKit to sign a message that had already been signed by another system before forwarding it onto another SMTP relay and if the original message was in 8bit mode, then changing it to 7bit broke any previous DKIM signatures.

[jstedfast]

In other words, you need to add this line of code to your program before calling message.DkimSign (...);:

message.Body.Prepare (EncodingConstraint.EightBit);

[unosbaghaie]

In other words, you need to add this line of code to your program before calling message.DkimSign (...);:

message.Body.Prepare (ContentEncoding.EightBit);

I used
message.Body.Prepare(EncodingConstraint.EightBit);
Thanks man . you saved my day