Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: DMARC alignment value is incorrect for From header on subdomain mismatch #74

Closed
titanism opened this issue Dec 18, 2024 · 3 comments
Closed

Bug: DMARC alignment value is incorrect for From header on subdomain mismatch #74

titanism opened this issue Dec 18, 2024 · 3 comments

Comments

@titanism
Copy link

A popular sender creditkarma.com currently is sending messages with incorrect DKIM alignment, however mailauth is reporting it as aligned.

mailauth/lib/dmarc/verify.js

Line 105 in 3c47729

dkim: { result: dkimAlignment?.domain, strict: dmarcRecord.adkim === 's', underSized: dkimAlignment?.underSized }

Here is an excerpt where you can see the headers and DMARC/DKIM/SPF results from mailauth:

NOTE: alignment should not return a value for DMARC if DKIM has From header mismatch, e.g. @reminder3.creditkarma.com vs. @reminder.creditkarma.com and message is from notifications@reminder3.creditkarma.com

{
      "headers": {
        "DKIM-Signature": "a=rsa-sha256; v=1; c=relaxed/relaxed; d=reminder.creditkarma.com; q=dns/txt; s=mg; t=1734482730; x=1734489930; h=Message-Id: List-Unsubscribe-Post: List-Unsubscribe: To: To: From: From: Subject: Subject: Content-Type: Mime-Version: Date: Sender: Sender; bh=4hdv7JVMbsNGow1GeKw0YoqOtXmtw1UWvjBcwbVhPxU=; b=hbI0nUbWxbxjokPjpb1OBFTiKgMF4U/1G0LcsXlGPrdpSBm6xavuMPmDePYBYwGS7xN+4UWYpg8m88pj3uYoO0mEAqCwa7G4vhEkSXF9XjLBrFoujIxwjM23QryJILAD3iPRs6rVmuXLwbZYeoWS+aKb7XVFM4N5yF3FqAClztasN+1jXLLASZ1gFV8F0KrO2w9XNiu830cMv+/RcyRjkid5ogjv3nKMZelwmXx8RwTx7J7QMHM/I+OBVcrUSeiKh+kOTMs7y25KOp+zsoPBYoBaJ6YZOTxePwinGuvEBAGHHHLejUunbLwmDck2ES675f50c7hlAzFHuY2TNemMAg==",
        "X-Mailgun-Sending-Ip": "159.135.225.1",
        "X-Mailgun-Sending-Ip-Pool-Name": "",
        "X-Mailgun-Sending-Ip-Pool": "",
        "X-Mailgun-Sid": "WyJkMWJkNiIsImJldGhAYmVlc2NhcmRzLmNvbSIsIjU3MTdlNyJd",
        "Received": "by c2bc51ee08fe with HTTP id 6760ca62a98f7bc12817b53b; Tue, 17 Dec 2024 00:48:34 GMT",
        "X-Mailgun-Deliver-By": "Tue, 17 Dec 2024 00:48:34 +0000",
        "Sender": "notifications@reminder3.creditkarma.com",
        "Date": "Tue, 17 Dec 2024 00:48:34 +0000",
        "Mime-Version": "1.0",
        "Content-Type": "multipart/alternative; boundary=\"bb6a3d742cf1e22e839d6c2004bb4cfbbba7bfe90a1ac6a38ee45365b1e6\"",
        "Subject": "Turn on your credit alerts, REDACTED.",
        "From": "Credit Karma <notifications@reminder3.creditkarma.com>",
        "To": "redacted@redacted.com",
        "X-Mailgun-Tag": "sto-enabled",
        "X-Mailgun-Delivery-Time-Optimize-Period": "6h",
        "List-Unsubscribe": "REDACTED",
        "List-Unsubscribe-Post": "List-Unsubscribe=One-Click",
        "X-250ok-CID": "250ok-UID-en-credit_karma_inc_ckiunenrollwinbacktu_12906",
        "X-Mailgun-Variables": "{\"campaign-Id\": \"12906\", \"categories\": \"SubscriptionRequired,Bulk\", \"notification-Id\": \"c510b1d622722c9e969578bac86749b5d2f65027fd744019049972cab1ea6802\", \"notification-Type\": \"cki_unenroll_winback_tu\", \"tracking-Id\": \"4ff210bea1edbcd46b2d31d5254d11dc24f20ddc345db453e7167512d4dd3f940043\"}",
        "Message-Id": "<20241217004834.55d50f110420c6af@reminder3.creditkarma.com>"
      },
      "dkim": {
        "headerFrom": [
          "notifications@reminder3.creditkarma.com"
        ],
        "envelopeFrom": "bounce+196482.5717e7-redacted=redacted.com@reminder3.creditkarma.com",
        "results": [
          {
            "id": "d18da2e64271cafce8340cb34c2af78c141c634003f38a4388dc323ffb5499e5",
            "signingDomain": "reminder.creditkarma.com",
            "selector": "mg",
            "signature": "hbI0nUbWxbxjokPjpb1OBFTiKgMF4U/1G0LcsXlGPrdpSBm6xavuMPmDePYBYwGS7xN+4UWYpg8m88pj3uYoO0mEAqCwa7G4vhEkSXF9XjLBrFoujIxwjM23QryJILAD3iPRs6rVmuXLwbZYeoWS+aKb7XVFM4N5yF3FqAClztasN+1jXLLASZ1gFV8F0KrO2w9XNiu830cMv+/RcyRjkid5ogjv3nKMZelwmXx8RwTx7J7QMHM/I+OBVcrUSeiKh+kOTMs7y25KOp+zsoPBYoBaJ6YZOTxePwinGuvEBAGHHHLejUunbLwmDck2ES675f50c7hlAzFHuY2TNemMAg==",
            "algo": "rsa-sha256",
            "format": "relaxed/relaxed",
            "bodyHash": "4hdv7JVMbsNGow1GeKw0YoqOtXmtw1UWvjBcwbVhPxU=",
            "bodyHashExpecting": "4hdv7JVMbsNGow1GeKw0YoqOtXmtw1UWvjBcwbVhPxU=",
            "signingHeaders": {
              "keys": "Message-Id: List-Unsubscribe-Post: List-Unsubscribe: To: From: Subject: Content-Type: Mime-Version: Date: Sender",
              "headers": [
                "Message-Id: <20241217004834.55d50f110420c6af@reminder3.creditkarma.com>",
                "List-Unsubscribe-Post: List-Unsubscribe=One-Click",
                "List-Unsubscribe: REDACTED",
                "To: redacted@redacted.com",
                "From: Credit Karma <notifications@reminder3.creditkarma.com>",
                "Subject: Turn on your credit alerts, REDACTED.",
                "Content-Type: multipart/alternative;\r\n boundary=\"bb6a3d742cf1e22e839d6c2004bb4cfbbba7bfe90a1ac6a38ee45365b1e6\"",
                "Mime-Version: 1.0",
                "Date: Tue, 17 Dec 2024 00:48:34 +0000",
                "Sender: notifications@reminder3.creditkarma.com"
              ],
              "canonicalizedHeader": "bWVzc2FnZS1pZDo8MjAyNDEyMTcwMDQ4MzQuNTVkNTBmMTEwNDIwYzZhZkByZW1pbmRlcjMuY3JlZGl0a2FybWEuY29tPg0KbGlzdC11bnN1YnNjcmliZS1wb3N0Okxpc3QtVW5zdWJzY3JpYmU9T25lLUNsaWNrDQpsaXN0LXVuc3Vic2NyaWJlOjxodHRwczovL3d3dy5jcmVkaXRrYXJtYS5jb20vbm90aWZpY2F0aW9ucy1wcmVmZXJlbmNlcy9kaXJlY3QtdW5zdWJzY3JpYmU/Zm9yd2FyZEN0UGF5bG9hZD10cnVlJmN0UGF5bG9hZD1INHNJQUFBQUFBQUFBMldRelc0Y0lSQ0UzNFh6UmdzTUREQkhSNHA4czJVNXB5aENEZlI0MGJMTUNwaXhWNWJmUGZnblV1eWNrUHFycmlyNjF6T0pnVXhFYXNrVlNNTU5NOW9oMVlFemNPUE1VVW8lMkZHMEYycEZVeU1UV0l3WXlTaVIwNUY5eXUwdUtQWk1wclNqc0NhenNzcFpzMVBKMFROUHgyZ2d3UFdQcHlnQWJYVUElMkJkQ2syWkdrRzZNRGd0cFJxbzZNRXlHS0ZoNEdyOFVKUHBtZmdsTjh6TmZyejNsek4yQXp4QlRGMzFsNmFZaiUyRmY0MURyNm1ldnFxaSUyRlI0VCUyQkNQa0RNSFQlMkJVNWJFZExPUmdRNnglMkIyYkJjOWdYQnQ3aEJpMHZlJTJCMk8wYThaY2xwUk9mZmZUd0Q3RzdNQWZiVnYzWDB0VTlLOEdQZVFhSWJ6OWVVNzRaR3NyUHlLbVFGbEh0MlVKNjd2dUN4NW94MTR5NmxnWU9WZWNlNE5tTkZMcG5xaEhKWXlUZ2MlMkJqcEZ6TlFRbEJtYUhDR01VOU9JWXdhc3E3YWIzVWZuMkxXJTJCJTJGMGZRbXY1N3JEaW1YRFlHJTJGTzdXWnQlMkY0bmUlMkJwTkpmcDYlMkYzNXElMkZ2UHolMkJBJTJCU05qZ2dqQWdBQSZ0cmFja2luZ0lkPTRmZjIxMGJlYTFlZGJjZDQ2YjJkMzFkNTI1NGQxMWRjMjRmMjBkZGMzNDVkYjQ1M2U3MTY3NTEyZDRkZDNmOTQwMDQzJnByZWZlcmVuY2VzPUNSRURJVF9NT05JVE9SSU5HLEZJTkFOQ0lBTF9USVBTJm5vdGlmaWNhdGlvbklkPWM1MTBiMWQ2MjI3MjJjOWU5Njk1NzhiYWM4Njc0OWI1ZDJmNjUwMjdmZDc0NDAxOTA0OTk3MmNhYjFlYTY4MDImY29udGVudF9saW5rPWh0dHBzJTNBJTJGJTJGd3d3LmNyZWRpdGthcm1hLmNvbSUyRm5vdGlmaWNhdGlvbnMtcHJlZmVyZW5jZXMlMkZkaXJlY3QtdW5zdWJzY3JpYmUlM0Zmb3J3YXJkQ3RQYXlsb2FkJTNEdHJ1ZSUyNmN0UGF5bG9hZCUzREg0c0lBQUFBQUFBQUEyV1F6VzRjSVJDRTM0WHpSZ3NNRERCSFI0cDhzMlU1cHloQ0RmUjQwYkxNQ3BpeFY1YmZQZmduVXV5Y2tQcXJyaXI2MXpPSmdVeEVhc2tWU01NTk05b2gxWUV6Y09QTVVVbyUyNTJGRzBGMnBGVXlNVFdJd1l5U2lSMDVGOXl1MHVLUFpNcHJTanNDYXpzc3BaczFQSjBUTlB4Mmdnd1BXUHB5Z0FiWFVBJTI1MkJkQ2syWkdrRzZNRGd0cFJxbzZNRXlHS0ZoNEdyOFVKUHBtZmdsTjh6TmZyejNsek4yQXp4QlRGMzFsNmFZaiUyNTJGZjQxRHI2bWV2cXFpJTI1MkZSNFQlMjUyQkNQa0RNSFQlMjUyQlU1YkVkTE9SZ1E2eCUyNTJCMmJCYzlnWEJ0N2hCaTB2ZSUyNTJCMk8wYThaY2xwUk9mZmZUd0Q3RzdNQWZiVnYzWDB0VTlLOEdQZVFhSWJ6OWVVNzRaR3NyUHlLbVFGbEh0MlVKNjd2dUN4NW94MTR5NmxnWU9WZWNlNE5tTkZMcG5xaEhKWXlUZ2MlMjUyQmpwRnpOUVFsQm1hSENHTVU5T0lZd2FzcTdhYjNVZm4yTFclMjUyQiUyNTJGMGZRbXY1N3JEaW1YRFlHJTI1MkZPN1dadCUyNTJGNG5lJTI1MkJwTkpmcDYlMjUyRjM1cSUyNTJGdlB6JTI1MkJBJTI1MkJTTmpnZ2pBZ0FBJTI2dHJhY2tpbmdJZCUzRDRmZjIxMGJlYTFlZGJjZDQ2YjJkMzFkNTI1NGQxMWRjMjRmMjBkZGMzNDVkYjQ1M2U3MTY3NTEyZDRkZDNmOTQwMDQzJTI2cHJlZmVyZW5jZXMlM0RDUkVESVRfTU9OSVRPUklORyUyQ0ZJTkFOQ0lBTF9USVBTJTI2bm90aWZpY2F0aW9uSWQlM0RjNTEwYjFkNjIyNzIyYzllOTY5NTc4YmFjODY3NDliNWQyZjY1MDI3ZmQ3NDQwMTkwNDk5NzJjYWIxZWE2ODAyPg0KdG86YmV0aEBiZWVzY2FyZHMuY29tDQpmcm9tOkNyZWRpdCBLYXJtYSA8bm90aWZpY2F0aW9uc0ByZW1pbmRlcjMuY3JlZGl0a2FybWEuY29tPg0Kc3ViamVjdDpUdXJuIG9uIHlvdXIgY3JlZGl0IGFsZXJ0cywgQmV0aC4NCmNvbnRlbnQtdHlwZTptdWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSJiYjZhM2Q3NDJjZjFlMjJlODM5ZDZjMjAwNGJiNGNmYmJiYTdiZmU5MGExYWM2YTM4ZWU0NTM2NWIxZTYiDQptaW1lLXZlcnNpb246MS4wDQpkYXRlOlR1ZSwgMTcgRGVjIDIwMjQgMDA6NDg6MzQgKzAwMDANCnNlbmRlcjpub3RpZmljYXRpb25zQHJlbWluZGVyMy5jcmVkaXRrYXJtYS5jb20NCmRraW0tc2lnbmF0dXJlOmE9cnNhLXNoYTI1Njsgdj0xOyBjPXJlbGF4ZWQvcmVsYXhlZDsgZD1yZW1pbmRlci5jcmVkaXRrYXJtYS5jb207IHE9ZG5zL3R4dDsgcz1tZzsgdD0xNzM0NDgyNzMwOyB4PTE3MzQ0ODk5MzA7IGg9TWVzc2FnZS1JZDogTGlzdC1VbnN1YnNjcmliZS1Qb3N0OiBMaXN0LVVuc3Vic2NyaWJlOiBUbzogVG86IEZyb206IEZyb206IFN1YmplY3Q6IFN1YmplY3Q6IENvbnRlbnQtVHlwZTogTWltZS1WZXJzaW9uOiBEYXRlOiBTZW5kZXI6IFNlbmRlcjsgYmg9NGhkdjdKVk1ic05Hb3cxR2VLdzBZb3FPdFhtdHcxVVd2akJjd2JWaFB4VT07IGI9"
            },
            "status": {
              "result": "pass",
              "header": {
                "i": "@reminder.creditkarma.com",
                "s": "mg",
                "a": "rsa-sha256",
                "b": "hbI0nUbW"
              },
              "aligned": "reminder.creditkarma.com"
            },
            "sourceBodyLength": 145185,
            "canonBodyLength": 117833,
            "canonBodyLengthTotal": 117833,
            "canonBodyLengthLimited": false,
            "mimeStructureStart": 0,
            "publicKey": "-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAxqql/oFypdWkt9gTCxOh+NLFrevnMrc5ehSUxiY85H91ac8sFQgR\nsuB+Hq2dCQiTuVAuuY9fI7UzQID8r4ULD2BYpXc5e2vUK8tCSogcTTb5yHxnWBth\nuj/VC/zRSeJKaJBsw4wRa5Pgfvd/7W8gPhllF9TbG9gHe2hYn0g/LAhPzf5RxZbL\nXUI701EqyWxgmXOKiwIFzL56gbN9tsN3ZPbQYigA+Wb5odwwEOfKAnWvme3J4Bme\n58EHPKvMNH2u3r7e31azXsKq/CG5U0SEZMw5QGdQYRnquj9TAIDVU7fIHeu4cRD0\nkZbJoLxhZX8l+NGEugvcV5Cecd8Pn8SCvQIDAQAB\n-----END RSA PUBLIC KEY-----\n",
            "modulusLength": 2048,
            "rr": "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxqql/oFypdWkt9gTCxOh+NLFrevnMrc5ehSUxiY85H91ac8sFQgRsuB+Hq2dCQiTuVAuuY9fI7UzQID8r4ULD2BYpXc5e2vUK8tCSogcTTb5yHxnWBthuj/VC/zRSeJKaJBsw4wRa5Pgfvd/7W8gPhllF9TbG9gHe2hYn0g/LAhPzf5RxZbLXUI701EqyWxgmXOKiwIFzL56gbN9tsN3ZPbQYigA+Wb5odwwEOfKAnWvme3J4Bme58EHPKvMNH2u3r7e31azXsKq/CG5U0SEZMw5QGdQYRnquj9TAIDVU7fIHeu4cRD0kZbJoLxhZX8l+NGEugvcV5Cecd8Pn8SCvQIDAQAB",
            "info": "dkim=pass header.i=@reminder.creditkarma.com header.s=mg header.a=rsa-sha256 header.b=hbI0nUbW"
          }
        ]
      },
      "spf": {
        "domain": "reminder3.creditkarma.com",
        "client-ip": "159.135.225.1",
        "helo": "m225-1.mailgun.net",
        "envelope-from": "bounce+196482.5717e7-redacted=redacted.com@reminder3.creditkarma.com",
        "rr": "v=spf1 include:mailgun.org -all",
        "status": {
          "result": "pass",
          "comment": "mx1.forwardemail.net: domain of bounce+196482.5717e7-redacted=redacted.com@reminder3.creditkarma.com designates 159.135.225.1 as permitted sender",
          "smtp": {
            "mailfrom": "bounce+196482.5717e7-redacted=redacted.com@reminder3.creditkarma.com",
            "helo": "m225-1.mailgun.net"
          }
        },
        "header": "Received-SPF: pass (mx1.forwardemail.net: domain of bounce+196482.5717e7-redacted=redacted.com@reminder3.creditkarma.com designates 159.135.225.1 as permitted\r\n sender) client-ip=159.135.225.1;",
        "info": "spf=pass (mx1.forwardemail.net: domain of bounce+196482.5717e7-redacted=redacted.com@reminder3.creditkarma.com designates 159.135.225.1 as permitted sender) smtp.mailfrom=\"bounce+196482.5717e7-redacted=redacted.com@reminder3.creditkarma.com\" smtp.helo=m225-1.mailgun.net",
        "lookups": {
          "limit": 10,
          "count": 3,
          "void": 0
        }
      },
      "dmarc": {
        "status": {
          "result": "pass",
          "comment": "p=REJECT arc=none",
          "header": {
            "from": "creditkarma.com",
            "d": "reminder3.creditkarma.com"
          }
        },
        "domain": "creditkarma.com",
        "policy": "reject",
        "p": "reject",
        "sp": "reject",
        "rr": "v=DMARC1; p=reject; rua=mailto:dmarc_agg@vali.email",
        "alignment": {
          "spf": {
            "result": "reminder3.creditkarma.com",
            "strict": false
          },
          "dkim": {
            "result": "reminder.creditkarma.com",
            "strict": false
          }
        },
        "info": "dmarc=pass (p=REJECT arc=none) header.from=creditkarma.com header.d=reminder3.creditkarma.com"
      }
}

cc @andris9
@titanism
Copy link
Author

The issue seems to be here

mailauth/lib/tools.js

Lines 498 to 505 in 3c47729

// match org domains
fromDomain = formatDomain(tldts.getDomain(fromDomain, TLDTS_OPTS) || fromDomain);
for (let entry of domainList) {
let domain = formatDomain(tldts.getDomain(entry.domain, TLDTS_OPTS) || entry.domain);
if (domain === fromDomain) {
return entry;
}
}
and for reference, Google thinks that (without SPF) that the DMARC will fail and reject due to DKIM not passing correctly. So we should mirror what Google does as you have done elsewhere.

titanism added a commit to forwardemail/forwardemail.net that referenced this issue Dec 18, 2024
@titanism
fix: added DMARC temporary fix per postalsys/mailauth#74
b1072f8
@titanism
Copy link
Author

We should be using dmarc.status.header.d value, perhaps? @andris9 Not sure what your thoughts here are on how we can fix this or make it so we can clearly see DKIM is not aligned with From header even if DMARC is passing via SPF.

titanism added a commit to forwardemail/forwardemail.net that referenced this issue Dec 18, 2024
@titanism
fix: implemented workaround per <postalsys/mailauth#74>
228138d
@titanism
Copy link
Author

Closing for now as we think this might be an issue on our side with other header being modified somehow. Will re-open if we find something otherwise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@titanism