-
Notifications
You must be signed in to change notification settings - Fork 36
Home
DomainKeys Identified Mail (DKIM) is a method which allows domains to sign e-mails. The add-on verifies these DKIM signatures and shows the result in the e-mail header. This way it is possible to see which domain is claiming responsibility for a specific e-mail. How the result is shown can be changed in the options.
It is important to note that an e-mail can be signed by an arbitrary domains. A valid DKIM signature alone is therefore not an indicator for a trustworthy e-mail. Always check who the signer is to determine if an e-mail is trustworthy!
In some cases, the absence of a DKIM signature can be useful to identify scam e-mails. If it is known that a certain domain is signing all its e-mails with DKIM, the absence of a DKIM signature is a strong indicator for a forged e-mail.
To ease the checking of if and by who an e-mail is signed, the add-on supports the use of sign rules. With sign rules it is possible to specify that e-mails from a certain sender have to be always signed by a specific domain (also referred to as SDID). More about sign rules at https://github.com/lieser/dkim_verifier/wiki/Sign-rules.
A description of all the available add-on options can be found at https://github.com/lieser/dkim_verifier/wiki/Options.
The add-on can be downloaded from https://addons.mozilla.org/addon/dkim-verifier/ or https://github.com/lieser/dkim_verifier/releases. The source code is available at https://github.com/lieser/dkim_verifier
Support is given at https://github.com/lieser/dkim_verifier/issues, http://forums.mozillazine.org/viewtopic.php?f=48&t=2704121 or by e-mail to dkim.verifier.addon@gmail.com (in English or German).
The preferred way to report bugs is by creating an issue at https://github.com/lieser/dkim_verifier/issues.
If debug information is needed, enabling of debugging in the advanced options is sufficient in most cases. Details about the available debug options can be found here.
The add-on probably fails to connect to the first DNS server. Disable the loading of DNS servers from the OS configuration (this are tried first) and only include in the "DNS name server" field working DNS servers. More info about the DNS options can be found here.
Most mailing list are breaking DKIM signatures by editing the subject or adding a footer. You can hide the DKIM header for this e-mails by adding a sign rule (more about it here).
Besides a bug, it may also be your mail provider, altering the incoming e-mails, for example by changing the encoding of the e-mail. Known mail provider/server to do so:
- Verizon (USA)
- Outlook.com / Hotmail / Microsoft SMTP Server
In case the receiving server is altering incoming e-mails, enabling the reading of the Authentication-Results header instead of a client side verification may be an option for you.
If you are not certain that the problem is caused by the mail provider, please report the issue and send some of the invalid e-mails as saved .eml files to dkim.verifier.addon@gmail.com, so I can try to find out that the problem is. If you don't have such an e-mail without personal information that you don't want me to see, I could also first send you a signed e-mail.
Make sure you are using the libunbound resolver. The default JavaScript DNS library does not support DNSSEC. More info about the DNS options can be found here.
There are two possible causes for this.
1. A sign rule says the e-mail should be signed.
Search in the "Signers rules" and "Default signers rules" for the responsible rule. If the rule is in "Signers rules" either modify or remove it. If the rule is in "Default signers rules" please report it. Until this is fixed in the default rules you can either create a custom rule overwriting the responsible default one (example here) or disable the usage of the default rules completely.
As this is only a heuristic it can produce false result. If you encounter such a false result create a custom sign rule for the problematic domain explicitly saying e-mails from the domain do not have to be necessarily signed (example here).
In some cases there is a problem with the local DNS forwarder "dnsmasq" returning no result even if the key exists. Disable the loading of DNS servers from the OS configuration to use a different DNS server. More info about the DNS options can be found here.
The easiest way to contribute is to report every error you encounter. Ideas for future enhancements are also welcome.
In case you are interested in providing a new translation (or improving an existing one), you can do this by either creating a pull request on github or via BabelZilla (http://www.babelzilla.org/forum/index.php?showtopic=7543).
Also feel free to fix bugs or add futures yourself by creating a pull request. For bigger changes best contact me first.