improve invalid email message

[monperrus]

Hi!

Today, when an email is invalid it says:

Invalid (E-Mail was modified)

The piece of information which is missing is the signing domain.

Here is a proposal for a better message:

Invalid (E-Mail signed by foo.com was modified)

Thanks!

[lieser]

Note that this is an information that should be already become more visible when #160 will get implemented.

But I will also consider extending the message in one of the future releases.

[monperrus]

ack, thanks.

[timcoote]

Is this possible? The verification compares encrypted hashes, but all you know is that one of several headers, or the body has changed (since body hash is embedded in the signature).

[lieser]

Is this possible? The verification compares encrypted hashes, but all you know is that one of several headers, or the body has changed (since body hash is embedded in the signature).

You are correct that it is not possible to reliably get any detailed information about why a DKIM signature failed. You only get that it failed.
Only if you assume that where was no malicious manipulation of the body hash (and the DKIM key was unchanged), you can at least distinguish between the body or the signed headers having changed.
#420 Is about proving that information.

This issue is however not about proving more information why a DKIM signature failed. But only to make it visible from which signing domain the failed DKIM signature claims to be from.