E-mail routing adds new DKIM signature that breaks DMARC alignment

Hi,
I think there is an issue with email routing implementation.
If an email without DKIM signature comes to email.cloudflare.net,
Clouflare creates new DKIM signature like so:

DKIM-Signature: v=1; a=rsa-sha256; d=email.cloudflare.net; s=2022; c=relaxed/relaxed; ...

And sends the email to the according route mailbox.
But that breaks DMARC alignment since header.from /= dkim.d.
So the email do not pass DMARC.

Authentication-Results: mx.google.com;
       dkim=pass [email protected] ...
       spf=pass ...
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mydomain.com

It should not create DKIM signature then.
I’m using the Catch-all address.

What do you think?
Pravdomil

You can have multiple DKIM signatures on an email, there is no harm (and some benefits) when you add more signatures, and in fact this is quite common when mail passes through multiple servers.

Is there a valid and aligned header? The final authentication results should only need any one of the signatures to match the From header.

There is only one DKIM signature (not aligned email.cloudflare.net).

If I send an email without DKIM from the same domain directly to google inbox (skipping clouflare) DMARC passes.

There is no reason for Clouflare to generate DKIM signature for domain that is not in From header, since that causes to DKIM misalignment.

There cannot be in an email that was not signed by its originator. The only DKIM signature is from Cloudflare and SPF alignment will be broken by Cloudflare’s retrurn-path. This means such mails have no way to pass DMARC.

Now one would expect that any domain that is not DKIM signing would similarly lack a published DMARC policy and this should be no issue, but it is wholly at the mercy of the receiving server’s policy implementation.

In the age of DMARC, forwarding to destination servers where you do not control policy can be inconsistent.

The message already wasn’t going to pass DMARC.

It might have been aligned (via SPF) if there was no forwarding involved, but as soon as forwarding comes into play we guarantee the best status the message can get is PASS from the forwarder’s domain and no alignment from SPF. At least we don’t get a SPF FAIL since Cloudflare rewrites MAIL FROM.

With SPF not aligning, all that matters is the DKIM signature(s). There are two possible situations:

1. Cloudflare adds no DKIM signature: SPF not aligned, DKIM not aligned so the message fails DMARC.

2. Cloudflare adds a DKIM signature: SPF not aligned, DKIM not aligned so the message fails DMARC.

The message doesn’t align either way and the presence of additional signatures makes no difference.

So why do it? The same reason you add a DKIM signature to messages that do align, you’re attesting that the message actually did pass through the forwarding server. This allows receivers to decide which Authentication-Results headers to trust, and therefore to (possibly) trust that the message passed both SPF and DMARC before it was forwarded.

In an ideal world everybody forwarding mail in any fashion would implement ARC which is digitally signed (whereas technically an Authentication-Results header can be modified by subsequent servers involved with forwarding messages). ARC doesn’t solve the problem of when to trust a forwarder, but it does get us closer to trusting forwarded servers safely.

There are other cases where it matters, for example, Yahoo’s feedback loop (FBL) only sends spam reports for messages with a DKIM signature matching the FBL registration, so if Cloudflare wants a FBL from Yahoo they’re required to sign their own DKIM.

But in the case of alignment for DMARC purposes? The message was never going to pass DMARC once it was forwarded because it was never going to get DKIM alignment anyway. Cloudflare’s DKIM signature is irrelevant.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.