Please append to https://github.com/lieser/dkim_verifier/wiki/DNS

libunbound library under OSX

1. Install libunbound2
2. select the DKIM_Verifier's Preferences > General > DNS
3. select Resolver "libunbound"
4. Disable "Get DNS server from OS configuration"
5. Set DNS server to 127.0.0.1:53
6. Disable Path relative to profile directory
7. Set path to [your-prefix-here]/lib/libunbound.2.dylib
8. Restart Thunderbird.

Tested under OSX 10.10.4 with libunbound 1.5.4, Thunderbird 38.1.0, and DKIM verifier 1.3.5.

Messages processed by Verizon (USA) fail with "DKIM Signature Error: Wrong body hash" message while messages from Earthlink (USA) processed as expected. I created a test scenario in which an auto parts vendor sent an identical routine product announcement message to me via both Verizon and Earthlink. The captured Thunderbird error console and both EML formatted messages are available for debugging purposes.

I would like to propose an enhancement: An additional option (disabled by default) to move the add-on DKIM result (such as "Valid (Signed by ...)", "Invalid (Wrong body hash)", etc., including the warning triangle with its tool tip) from its current position in a header pane line to the status bar (where the online/offline status and number of total and unread messages is shown). If that is possible.

Such an option would be useful on computers with smaller screens - e.g. netbooks - where keeping the header pane slim is important, as it takes away space from the preview pane. Or for whatever other esthetical reasons, while having the status bar visible. While DKIM result in the status bar does not take away preview pane real estate.

An additional positive side-effect of this option would be the ability to remove the DKIM result entirely - without a need for additional add-on (such as "CompactHeader") - by moving it to the status bar which one has disabled. If one does not use the status bar and is not interested in details of the DKIM evaluation. (E.g. when one has the option for highlighting the "From:" field active and the colors showing the overall result, which is what counts most.)

Thank you very much for the add-on!

Currently i use version 1.3.6 in Fossamail (Thunderbird fork from the Pale Moon browser dev) and if i try to update my addons in Fossamail i get for your addon
"There was an error downloading null"

So i download the addon from AMO manual but the install fails with the message
"addon is corrupted".

Then i download the version from github and the install fails too. I compare the checksum with this version and the ones from AMO - same.
If i try to install 1.4.0 from github i get the same install error.

Clicking on some messages with DKIM verifier causes high CPU load.

v0.4.4
tb 17.0.8

Thanks for your work, but i have fased with little problem. Very ofter addon show text "Invalid (Wrong body hash)", but I'm really not sure that this is true. I`ve install postfix with OpenDKIM on my server and test it by sending messages to [email protected] and [email protected] and no problems found. But my mails (with DKIM signature) sometime marked as "Wrong body hash". Not only my mails, I attach screenshot with mail from SourceForge with same error.

If need, i can send this "suspicious" mails to you.

EDIT
Sorry but github does not want to upload my picture ("Something went really wrong and we can't process that image."). I can send on email.

Hi,
first of all - thank you, I was looking for such an addon for a long time.

There's an issue in combination with CompactHeader addon ( https://addons.mozilla.org/de/thunderbird/addon/compactheader/ ). The DKIM verifier toolbar is shown on the right, instead of the bottom of the message header. Could you please add support for the CompactHeader addon?

Thank you :)

If there is no ARH, but an (unverified) DKIM-Signature exists, no verification is carried out. The following error sometimes is displayed, presumably due to an empty ARH.

2016-01-17 19:50:03 DKIM_Verifier.AuthVerifier ERROR Error: Parsing error (resource://dkim_verifier/ARHParser.jsm:249) JS Stack trace: [email protected]:249:1 < [email protected]:186:14 < [email protected]:161:21 < [email protected]:161:10 < _authVerifier_verify/promise<@AuthVerifier.jsm:103:17

I'm using DKIM verifier 0.5.0, and our organisation has just set up DKIM with the Amazon SES service for some of our transactional mails.

When testing, the mail verifies ok if it's sent to my Gmail account and then picked up via POP3 into Thunderbird. It also verifies ok if the mail is sent to my ISP-hosted email account and then picked up via POP3.

However when the same email (exactly the same one, adding all addresses to the same 'To' line) is sent via my work email address, which is a hosted exchange service provided by Cobweb, and then also picked up via POP3, it arrives with the error message: "DKIM Invalid (DKIM version missing)".

When comparing a raw text dump of the three sets of email headers, I can see no difference between the contents of the DKIM-Signature header other than whitespace formatting and capitalisation of the header name.

(The actual base-64 content of the Cobweb email is very different to the other two though. Perhaps that's the problem - is this related to Exchange having nuked the format? In which case the error message seems misleading - shouldn't it just be a straight fail?)

Everytime if i choose a new message, dkim_verifier seems to block it. dkim_verifier shows "Validating ..." and the statusbar shows "Downloading...". If i switch to another mail and return to the previous one, validating works. there must be an issue by the time thunderbird marks the message as downloaded...

if i deactivate the addon, everything works fine.

You can reproduce the issue if you clean the message cache (inbox->right click->properties->repair *.msf) on an imap-account

One of my domains:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dialog.photo; s=mail;
always gives invalid signing alerts (invalid hash algorithm in DKIM key record).
Within the DNS it has
v=DKIM1; h=rsa-sha256; k=rsa; p=...

Compared to another (working) Domain which doesn't have the "h" attribute in the TXT record.
The h= was generated by the opendkim tools so it shouldn't be that wrong?.

Hi and thanks for your awesome plugin!

Here we go:
I told the plugin to use my local dns resolver which supports dnssec. The domainkey record is signed, the record bears the +ad flag. Still, the plugin says the key was not signed by dnssec.

Note: my local resolver uses DNSSEC lookaside validation, which is transparent to the DNS clients.

I thought, the reason why the plugin fails to verify wether the key was signed is that my local dns is somehow bypassed. However, the log says

2014-04-25 16:57:29 DKIM_Verifier.JSDNS INFO    Resolving default._domainkey.example.net TXT by querying 10.0.12.5

Any thoughts on this?

This is was a query of 10.0.12.5 says:

; <<>> DiG 9.8.3-P1 <<>> default._domainkey.example.net +dnssec txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45957
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;default._domainkey.example.net.    IN  TXT

;; ANSWER SECTION:
default._domainkey.example.net. 85928 IN    TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0QmdibqnhhtX+xCJE1LzF7YemajbrvDxO8PcpnWeTAPpxnMIc8qZiyyRLVT+axUEY5typdf91QIcYdAb5i4s4xudiD6bY8CJh5Kk6qfDCwFQUamYkBKOZC4eWohuM8Yz9Z/Hi0h" "zEQb/LztkI7SvGt1+V/5Ts3Dfa2O+348QZoztogqqt3j+MiFQYt85F4EczSQuzxkTyktisx+62hV+3aYshKpl8wOd760CVwPPCu0m6LxDfnn9f/6uW9eM/yr28vvznnlbFN4IzDgaKjZ9ZNxJ7eSL+EzlqmAO9CMYgHXwpEQdeoZE2R7DR8cFi7RQjcNXGbpcLt+q2XIQi5U78QIDAQAB"
default._domainkey.example.net. 85928 IN    RRSIG   TXT 7 4 86400 20140522165659 20140422165659 9728 example.net. rLdx/eFlAyUeIRee0GJJKhyGlHLn3ll+hQLNtfj7ootfDim2svCQw81M 5V/tAJn1imGcXJ3Glk8Qx83WX5uCaVpIjKu2PT0Y8beyRGgMdfjn2hBD INU42EOoiNsqFDAVXkNCL7B1SpWgUHiNgnqUliv1XaJoraT8O7jSq/Sz pkU=

Regards!

@mlocati @kryskool
i have added a new string in options.dtd (arh.read.label).
Could you both please update the Italian and French Translation?
Thanks.

--snip--- dkim.js

var EXPORTED_SYMBOLS = ["DKIM_STRINGS"];
var DKIM_STRINGS = {};

// DKIM_STRINGS
DKIM_STRINGS.loading = "Überprüfe...";
DKIM_STRINGS.SUCCESS = function(domain) {return "Gültig (Signiert durch "+domain+")";};
DKIM_STRINGS.PERMFAIL = "Ungültig";
DKIM_STRINGS.TEMPFAIL = function(domain) {
return "Temporärer Überprüfungsfehler (Für Signatur durch "+domain+")";};

// DKIM_INTERNALERROR
DKIM_STRINGS.DKIM_INTERNALERROR = "DKIM verifier Interner Fehler";
DKIM_STRINGS.DKIM_INTERNALERROR_DEFAULT = "Fehler";

// DKIM_SIGERROR
DKIM_STRINGS.DKIM_SIGERROR = "DKIM Signatur Fehler";
DKIM_STRINGS.DKIM_SIGERROR_DEFAULT = "Fehler";
// DKIM_SIGERROR - DKIM-Signature Header
DKIM_STRINGS.DKIM_SIGERROR_VERSION = "Nicht unterstützte Version";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_V = "DKIM Version fehlt";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_A = "Fehlender Signatur-Algorithmus";
DKIM_STRINGS.DKIM_SIGERROR_UNKNOWN_A = "Nicht unterstützter Signatur-Algorithmus";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_B = "Fehlende Signatur";
DKIM_STRINGS.DKIM_SIGERROR_CORRUPT_B = "Signatur falsch";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_BH = "Fehlende Mailtext Prüfsumme";
DKIM_STRINGS.DKIM_SIGERROR_CORRUPT_BH = "Falsche Mailtext Prüfsumme";
DKIM_STRINGS.DKIM_SIGERROR_UNKNOWN_C_H = "Nicht unterstützte Kanonisierungmethode für Kopfzeile";
DKIM_STRINGS.DKIM_SIGERROR_UNKNOWN_C_B = "Nicht unterstützte Kanonisierungmethode für Mailtext";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_D = "Fehlender 'Signing Domain Identifier' (SDID)";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_H = "Fehlende signierte Kopfzeilenfelder";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_FROM = "From-Kopfzeile ist nicht signiert";
DKIM_STRINGS.DKIM_SIGERROR_SUBDOMAIN_I = "AUID ist keine Subdomain der SDID";
DKIM_STRINGS.DKIM_SIGERROR_DOMAIN_I = "AUID muss in der gleichen Domain wie SDID sein (Gesetztes S-Flag)";
DKIM_STRINGS.DKIM_SIGERROR_TOOLARGE_L = "Länge des Mailtext überschreitet die maximale Länge";
DKIM_STRINGS.DKIM_SIGERROR_UNKNOWN_Q = "Nicht unterstützte Abfragemethode für Empfang des öffentlichen Schlüssels";
DKIM_STRINGS.DKIM_SIGERROR_MISSING_S = "Fehlender Selector-Tag";
DKIM_STRINGS.DKIM_SIGERROR_TIMESTAMPS = "Signatur abgelaufen";
// DKIM_SIGERROR - key query
DKIM_STRINGS.DKIM_SIGERROR_KEYFAIL = "DNS Abfrage für Schlüssel fehlgeschlagen";
// DKIM_SIGERROR - Key record
DKIM_STRINGS.DKIM_SIGERROR_KEY_INVALID_V = "Invalid Version of the DKIM Schlüssel record";
DKIM_STRINGS.DKIM_SIGERROR_KEY_UNKNOWN_K = "Nicht unterstützte Schlüsseltyp";
DKIM_STRINGS.DKIM_SIGERROR_KEY_MISSING_P = "Fehlender Schlüssel";
DKIM_STRINGS.DKIM_SIGERROR_KEY_REVOKED = "Schüssel zurückgezogen";
DKIM_STRINGS.DKIM_SIGERROR_KEY_NOTEMAILKEY = "Schlüssel ist kein Mail-Schlüssel";
DKIM_STRINGS.DKIM_SIGERROR_KEY_TESTMODE = "Die Domain ist im DKIM-Testmodus";
// DKIM_SIGERROR - key decode
DKIM_STRINGS.DKIM_SIGERROR_KEYDECODE = "Schlüssel konnte nicht dekodiert werden";

// DKIM_SIGWARNING
DKIM_STRINGS.DKIM_SIGWARNING_SMALL_L = "Der Mailtext ist nicht vollständig signiert";

--snip dns.js

var EXPORTED_SYMBOLS = ["DNS_STRINGS"];
var DNS_STRINGS = new Object();
DNS_STRINGS.TOO_MANY_HOPS = "Zu viele Server-Sprünge.";
DNS_STRINGS.CONNECTION_REFUSED = function(server) { return "DNS server " + server + " verweigert eine TCP Verbindung."; };
DNS_STRINGS.TIMED_OUT = function(server) { return "DNS server " + server + " hat Zeitlimit für ein TCP connection überschritten."; };
DNS_STRINGS.SERVER_ERROR = function(server) { return "Fehler bei der Verbindung zum DNS-Server " + server + "."; };
DNS_STRINGS.INCOMPLETE_RESPONSE = function(server) { return "Unvollständige Antwort from " + server + "."; };

--snip options.dtd

--snip xulstrings.dtd

This refers to the functionality introduced on #15.

I just checked the latest release "dkim_verifier-1.0.2.xpi" (with TB (Icedove) 17.0.8 on Debian) and there seems to be an issue after the latest changes: On unsigned (old) e-mails of domains which are in the "Default signers rules" the validation does not complete. Instead of a missing signature error/warning there is "DKIM: Validating..." shown in the status bar (which I use instead of the header line), which never completes. And the Error Console shows following:

2013-12-11 22:42:27 DKIM_Verifier.Policy    DEBUG   shouldBeSigned: true; sdid: yahoo.com; hideFail: false; foundRule: true

The JavaScript DNS library is used. This is not domain dependent - it appears on all domains as far as I can see.

P.S.: It might be relevant: Due to change of my location, I had to switch to Google DNS resolver, as the local one does not support DKIM records apparently. So, maybe this issue is not due to latest code changes, but appeared due to my resolver change.

Hi,

i got

Zeitstempel: 11.09.2015 19:11:47
Fehler: 2015-09-11 19:11:47 DKIM_Verifier.AuthVerifier  ERROR   Error: Parsing error (resource://dkim_verifier/ARHParser.jsm:249) JS Stack trace: [email protected]:249:1 < [email protected]:186:14 < [email protected]:161:21 < [email protected]:161:10 < _authVerifier_verify/promise<@AuthVerifier.jsm:103:17
Quelldatei: resource://gre/modules/Log.jsm
Zeile: 749

but the signature looks good...

Authentication-Results: mail4.xxx.de;
        dkim=pass (1024-bit key; insecure) header.d=campact.de [email protected] header.b=PD0FkJpv;
        dkim-adsp=pass; dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on xxx
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=6.3 tests=BAYES_00,HTML_MESSAGE,
        SPF_HELO_PASS,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from o78.p8.mailjet.com (o78.p8.mailjet.com [87.253.233.78])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail4.xxx.de (Postfix) with ESMTPS
        for <[email protected]>; Fri, 11 Sep 2015 18:02:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; q=dns/txt;
  d=campact.de; [email protected]; s=mailjet;
  h=domainkey-signature:message-id:mime-version:from:reply-to:to:subject:date:list-unsubscribe:
  auto-submitted:precedence:x-csa-complaints:content-type;
  bh=TrsdJBAoPVyoL7B57No5KjNcZp0=;
  b= PD0FkJpvEqOBOrwJtEj9jHzSphddjyKegFhOTv/dHjwLFOTlhBq4cwSwfRpR
 meGIyqD/Wj8Peaee9/zJ9xfSnOubMhHk5lXiJmQNJUrSMCxc1BDHuoHnisp6
 cJCoRkXPy8Bs6Lh85NDbb8bsuHU6Ceyyjqs9PfgwHIsNzXUd/ek=
DomainKey-Signature: a=rsa-sha1; c=simple; q=dns;
  d=campact.de; s=mailjet;
  h=message-id:mime-version:from:reply-to:to:subject:date:list-unsubscribe:
  auto-submitted:precedence:x-csa-complaints:content-type;
  b= P1ncskc/ud3YShbilefXKuzM2Ivx74TKmNWdd24b1DIzIyznMBpyMwon/3SL
 5jpv49RbiTrIMJ4zyJvMg171iTNzxVKYwaClGecfZ8y1K7qqEsLNoqsXrR2X
 WvTFv08h3ZSglxAcGWFT6SncUvEP+L89kSWgFu8vCthdOz3DzqM=
Message-Id:  <[email protected]>

any idea?

regards

Jonathan

Hi,

got another error:
Zeitstempel: 30.09.2015 22:57:46
Fehler: 2015-09-30 22:57:46 DKIM_Verifier.AuthVerifier ERROR Error: Parsing error (resource://dkim_verifier/ARHParser.jsm:249) JS Stack trace: [email protected]:249:1 < [email protected]:186:14 < [email protected]:161:21 < [email protected]:161:10 < _authVerifier_verify/promise<@AuthVerifier.jsm:103:17

Quelldatei: resource://gre/modules/Log.jsm
Zeile: 749

Header:
Authentication-Results: mail.xxx.de; dkim=pass
reason="1024-bit key; unprotected key"
header.d=facebookmail.com [email protected]
header.b=cwU1/dak; dkim-atps=neutral
X-Spam-Level:
X-Spam-Status: No, score=-2.3 required=6.3 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_MESSAGE,RDNS_DYNAMIC,
UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=ham version=3.3.2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
s=s1024-2013-q3; t=1443646501;
bh=tjTPk1/T+XuaDGifjLmJBTlrKSnLTtxkkAU7akYW3vU=;
h=Date:To:Subject:From:MIME-Version:Content-Type;
b=cwU1/dak/uH82oM3fkl5glV7IHScKtstQ3VA8V5IDHLLZtJi7d/4mVtfbP5bHk+aA
FO5e60by430wloGiuo3QslSyr/pe/sR82RbkQtjdxEUWRAj+go9lVXN8wncm8BCqqc
pdL8DkGU0X1KIOfpl9HaPyP+CttqReZEc0n6N+8g=

Here is the message source. Did Barracuda or SmarterMail add entries that invalidated this signature, or is it a bug in your verifier?

edited by lieser: deleted e-mail

Thanks for your work on this plugin, I just got round to testing it tonight.
After installing version 0.2, I've been checking it against some emails in my inbox.
From Domains
ebay.co.uk OK
amazon.co.uk OK

facebookmail.com KO

DKIM: Parsed DKIM-Signature: ({v:"1", a_sig:"rsa", a_hash:"sha256", b:"key1JCk6byyYDZGDsC+mOeikZlKRA0zU/LcJJJhjwKYfYQ6sBitjSq8MdUPThEVMUqQtFFRPSez0YQwFJ553zNlHfUEJwUcltepRyRRGwBif3GFOrJ5tqJJFzODMJVVLo+0SXN9LhvRgM6Ha+x+8RSLmtUvk2Aq+VTSaAqouZz4=", b_folded:"key1JCk6byyYDZGDsC+mOeikZlKRA0zU/LcJJJhjwKYfYQ6sBitjSq8MdUPThEVMU\r\n\t qQtFFRPSez0YQwFJ553zNlHfUEJwUcltepRyRRGwBif3GFOrJ5tqJJFzODMJVVLo+0\r\n\t SXN9LhvRgM6Ha+x+8RSLmtUvk2Aq+VTSaAqouZz4=", bh:"e5ja/lQb9OayTEyvQrKuu8VAxMlF2c0SKH/RRZJNdcI=", c_header:"relaxed", c_body:"simple", d:"facebookmail.com", h:"Date:To:From:Subject:MIME-Version:Content-Type", h_array:["date", "to", "from", "subject", "mime-version", "content-type"], i:"@facebookmail.com", l:null, q:"dns/txt", s:"s1024-2011-q2", t:1368945560, x:null, z:null})
DKIM: computed body hash: e5ja/lQb9OayTEyvQrKuu8VAxMlF2c0SKH/RRZJNdcI=
DKIM: DNS result: k=rsa; t=s; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLWnmo7aFBKfL4+mogTe/cXx6D4MUF7VUM9O+nmXAcUP6jJh1RDgZuSJ/KKxo+KMpDiF5xnawr4p3N4eFruSZWFB1vtHgDiy3iPke/u0lmXB2PDQphFRJU4Raghm9e2duPfuSExbvSu9COWIoaz1vH/T+8zc0vuonClGuPfxoqhQIDAQAB
DKIM: Parsed DKIM-Key: ({v:"DKIM1", h:"sha256", k:"rsa", n:null, p:"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLWnmo7aFBKfL4+mogTe/cXx6D4MUF7VUM9O+nmXAcUP6jJh1RDgZuSJ/KKxo+KMpDiF5xnawr4p3N4eFruSZWFB1vtHgDiy3iPke/u0lmXB2PDQphFRJU4Raghm9e2duPfuSExbvSu9COWIoaz1vH/T+8zc0vuonClGuPfxoqhQIDAQAB", s:"*", t:"s", t_array:["s"]})
DKIM: Header hash input:
date:Sat, 18 May 2013 23:39:20 -0700
to:xxxxx xxxxxx <[email protected]>
from:"Facebook" <[email protected]>
subject:xxxxxxxxxxx have birthdays this week
mime-version:1.0
content-type:multipart/alternative; boundary="b1_b00931723f94ca6aa7ad58da398f237f"


dkim-signature:v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com; s=s1024-2011-q2; t=1368945560; bh=e5ja/lQb9OayTEyvQrKuu8VAxMlF2c0SKH/RRZJNdcI=; h=Date:To:From:Subject:MIME-Version:Content-Type; b=
Timestamp: 22/05/2013 01:34:13
Error: DKIM Signature Error: Signature wrong
verifySignaturePart2@chrome://dkim_verifier/content/dkim.js:884
that.dnsCallback@chrome://dkim_verifier/content/dkim.js:1007
DNS_getRDData@chrome://dkim_verifier/content/dns.js:437
listener.process@chrome://dkim_verifier/content/dns.js:283
dataListener.onDataAvailable@chrome://dkim_verifier/content/dns.js:510

Source File: chrome://dkim_verifier/content/dkim.js
Line: 907

connect.vmware.com KO
[similar error as above]
gmail.com
[similar error as above]

email.wiggle.com KO
Different error, text stays on "Validating....." and never changes

Timestamp: 22/05/2013 01:40:08
Error: uncaught exception: Record type is not one that this library can understand.
DKIM: DNS result: null
Timestamp: 22/05/2013 01:40:08
Error: DKIM Signature Error: DNS query for key failed
Source File: chrome://dkim_verifier/content/dkim.js
Line: 1002

I hope this is enough info to work with?
Thanks,
S.

All messages I receive from @yahoo.de accounts are not signed. Remove from standard rules?

Hi

This is similar to "Get DNS name servers form OS configuration" #24 but for Windows.

If I remove the default "DNS name servers" (which by the way is a redundant way of saying it) messages don't get verified at all. The error message I then get is "Error connecting to DNS server". Same is true if I set the fields value to 127.0.0.1. I therefore assume that the DNS address provided through the OS isn't queried/used at all.

Since I'm often roaming I can't know the DNS for all networks I am connected to beforehand. This issue is a blocker for me.

Best

Edit: I just set the field to my current local DNS forwarder and I still get the error (but not with Google's DNS). I suppose that there is more to this. Is there a log I can look up and send you?

I noticed that loading of email body is delayed when dkim-verifier checks the signature. This is especially visible when there is a DNS timeout (e.g. due to errors in DNSSEC, local unbound will not respond): this freezes thunderbird itself, until the timeout is over or DNSSEC resolution is fixed. This should never happen: the dkim-verifier thread must not block.

split from #15

I'm using DKIM Verifier 1.0.4 and it seems to have some problems verifying messages signed with MailEnable Professional 8.

Here's a sample email header:

dkim-signature:v=1; c=relaxed/relaxed; h=message-id:date:from:mime-version:to:subject:content-type;
 d=progesoft.com; s=mail; a=rsa-sha256;
 bh=NL3Ygc+tb+Rpo+N0UfDOJxzDTOX8XCX5d+ShqvRTOdc=;
 b=UtLf/Wb2na2PQM0mRxVBW5CkECtBZHTf2rGFeJW48lx7b0vTLa1ENROZUxM7Ccvmx
 lCzcSqgJAhDwyW47oac7zfEABFrYYcr4XVMDH356HJJpHJf37Gf/yZO6VLLgNvYjG6L
 IxXHw+Oua7YCafodbMMrm2YniBg5NqjQUmTCdmQ=;

And here's the content of the TXT DNS record that I created with opendkim-genkey -r -h rsa-sha256 -s mail:

v=DKIM1; h=rsa-sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk12TXXVW+zf0w0kiC8kFr0m6mK2e/c3PIgaVW5K9RWMEKtfWOzQTpiIk8H1zbfe+KUfOBnV/Sxm30f+MOapYo8CT/0f7GXNfrlUfJ3KncOCQ1c8eqU0I0SJEbU5Qw/5g1kTIrIwbjMx3lZGHDerRwAH88nnsW3Fs40jSQQ1ZIEQIDAQAB

Here's the Thunderbird log:

DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Signature: ({v:"1", a_sig:"rsa", a_hash:"sha256", b:"UtLf/Wb2na2PQM0mRxVBW5CkECtBZHTf2rGFeJW48lx7b0vTLa1ENROZUxM7CcvmxlCzcSqgJAhDwyW47oac7zfEABFrYYcr4XVMDH356HJJpHJf37Gf/yZO6VLLgNvYjG6LIxXHw+Oua7YCafodbMMrm2YniBg5NqjQUmTCdmQ=", b_folded:"UtLf/Wb2na2PQM0mRxVBW5CkECtBZHTf2rGFeJW48lx7b0vTLa1ENROZUxM7Ccvmx\r\n lCzcSqgJAhDwyW47oac7zfEABFrYYcr4XVMDH356HJJpHJf37Gf/yZO6VLLgNvYjG6L\r\n IxXHw+Oua7YCafodbMMrm2YniBg5NqjQUmTCdmQ=", bh:"NL3Ygc+tb+Rpo+N0UfDOJxzDTOX8XCX5d+ShqvRTOdc=", c_header:"relaxed", c_body:"relaxed", d:"progesoft.com", h:"message-id:date:from:mime-version:to:subject:content-type", h_array:["message-id", "date", "from", "mime-version", "to", "subject", "content-type"], i:"@progesoft.com", i_domain:"progesoft.com", l:null, q:"dns/txt", s:"mail", t:null, x:null, z:null})
DKIM_Verifier.Verifier  DEBUG   computed body hash: NL3Ygc+tb+Rpo+N0UfDOJxzDTOX8XCX5d+ShqvRTOdc=
DKIM_Verifier.JSDNS INFO    Resolving mail._domainkey.progesoft.com TXT by querying 192.168.1.10
DKIM_Verifier.JSDNS DEBUG   mail._domainkey.progesoft.com/TXT: Answer: v=DKIM1; h=rsa-sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLnLhmzjg4fTCQTDq7JZOGFHNPcUVQlppRWpB1QSckvXzABTuju5BrQovV/OXJYEyeUPfVRtq6wTgAeSSOJ1eyg4Flsn4c9FA8vyGPO0jM7UAFDTRut9I8JO/25Xp6W+xxAa8UM+vSglipU1NAnQWLbIX9a2hWp5AaUj2EhMaF8QIDAQAB
DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Key: ({v:"DKIM1", h:"rsa-sha256", h_array:["rsa-sha256"], k:"rsa", n:null, p:"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLnLhmzjg4fTCQTDq7JZOGFHNPcUVQlppRWpB1QSckvXzABTuju5BrQovV/OXJYEyeUPfVRtq6wTgAeSSOJ1eyg4Flsn4c9FA8vyGPO0jM7UAFDTRut9I8JO/25Xp6W+xxAa8UM+vSglipU1NAnQWLbIX9a2hWp5AaUj2EhMaF8QIDAQAB", s:"*", t:"", t_array:[]})
DKIM_Verifier.Verifier  WARN    DKIM_SIGERROR_KEY_HASHNOTINCLUDED: Wrong hash algorithm in DKIM key record JS Stack trace: [email protected]:1157 < verifySignaturePart1/promise<@dkimVerifier.jsm:1102

In dkimVerifier.jsm@1102 I can read

if (msg.DKIMKey.h_array &&
    msg.DKIMKey.h_array.indexOf(msg.DKIMSignature.a_hash) === -1) {
    throw new DKIM_SigError("DKIM_SIGERROR_KEY_HASHNOTINCLUDED");
}

It seems there's some problems in matching msg.DKIMKey.h_array and msg.DKIMSignature.a_hash...

PS: GMail says that everything is ok.

If a body only has \r\n (empty lines) relaxed canonicalization should give an empty body.

"\r\n\r\n" should give ""
"Something\r\n\r\n" should give "Something\r\n"

but

"\r\n\r\n" gives "\r\n"

See patch

++ b/chrome/content/dkim.js
@@ -718,6 +718,10 @@ DKIM_Verifier.DKIMVerifier = (function() {
// for some reason /(\r\n)*$/ doesn't work all the time (matching only last "\r\n")
body = body.replace(/((\r\n)+)?$/,"\r\n");

• // If only one \r\n rests, there were only emtpy lines.

•   if (body == "\r\n"){
  

•       return "";
  

•   }
  return body;
  

  }

I use opendkim to sign my emails.

My opendkim SigningTable includes:

*@mail.example.com    selector._domainkey.example.com
*@example.com         selector._domainkey.example.com

and in my dns, I've published ONLY an organizational domain record

_dmarc.example.com. 5 IN TXT (
  "v=DMARC1; p=reject; sp=reject;"
  "rua=mailto:[email protected],mailto:[email protected];"
  "ruf=mailto:[email protected];"
  "fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;"
)

with the understanding that if a specific policy record for a subdomain does not exist in DNS, the policy from the organizational domain will be applied. i.e., for any *.example.com subdomain,

sp     Policy for subdomains of the OD     sp=reject

So with that signing policy, emails sent from the '*@mail.example.com' subdomain should to be signed by the 'example.com', and accepted as valid.

When I send from my 'mail.example.com' domain to my 'example.com' domain,

sendmail -i -f [email protected] -t <<TEST
From: [email protected]
To: [email protected]
Subject: test
test
TEST

The received email's signed correctly,

...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=selector; t=1464032795;
    bh=U...=;
    h=From:To:Subject:Date:From;
    z=From:[email protected]|To:[email protected]
     |Subject:=20test|Date:=20Mon,=2023=20May=202016=2012:
     46:35=20-0700=20(PDT);
    b=M...=
...

But the DKIM plugin in Thunderbird, displays

DKIM Invalid (Wrong signer (should be mail.example.com)

The design here, is of course, that 'example.com' IS a valid signer for the 'mail.example.com' subdomain.

I've got

DKIM Verifier Options
    General
        Policy
            [X] Use DMARC to heuristically determinate if an e-mail should be signed

    (p.s., typo there^^ ... should be "determine", not "determinate")

checked, so it should, in principle, be getting the DMARC policy correctly.

So, the question is -- why's it saying it's not? Config in the extension, or a problem in DKIM/DMARC config?

First please note the typo -- I assume this should read "Get DNS name servers FROM OS configuration."

Second, and this is the main thing -- it doesn't seem to work on my Mac, running Mac OS X 10.9.2 and TB 24.4.0. I have the checkbox checked, and still your extension doesn't seem to use the DNS that OS X uses (received via DHCP).

I found the following in the error console:

2014-04-06 22:47:45 DKIM_Verifier.JSDNS CONFIG  Got servers from resolv.conf: []
2014-04-06 22:47:45 DKIM_Verifier.JSDNS CONFIG  changed DNS Servers to : [{server:"8.8.8.8", alive:true}]

However, resolv.conf DOES contain the correct nameserver to use:

$ cat /etc/resolv.conf 
#
# Mac OS X Notice
#
# This file is not used by the host name and address resolution
# or the DNS query routing mechanisms used by most processes on
# this Mac OS X system.
#
# This file is automatically generated.
#
domain my.domain
nameserver 192.168.2.10

Yes, I know this is only a "dummy" file, but of course OS X is using the correct nameserver:

$ scutil --dns
DNS configuration

resolver #1
  search domain[0] : host.mydomain
  search domain[1] : mydomain
  nameserver[0] : 192.168.2.10
  if_index : 5 (en1)
  flags    : Request A records
  reach    : Reachable,Directly Reachable Address
...

Not sure whether I'm doing s/t wrong, or whether this is really a bug in your extension?

Thanks in advance for your help.

Hi,
Headers are not displayed at all in my environment: TB 24.0, DKIM Verifier 0.6.0, CompactHeader 2.0.8.
No errors in the JS-Console.
Let me know if I can help.

This error was generated by emails from domain moneysavingexpert.com
I'm not sure if it is a problem with the addOn or the DKIM Cert in the header.
Let me know if you need more info than I've provided below
Error Msg

Timestamp: 05/06/2013 20:55:31
Error: DKIM Signature Error: Unsupported canonicalization algorithm for body
parseDKIMSignature@chrome://dkim_verifier/content/dkim.js:380
verifySignaturePart1@chrome://dkim_verifier/content/dkim.js:812
that.messageLoaded@chrome://dkim_verifier/content/dkim.js:1078
messageHeaderSink.onEndHeaders@chrome://messenger/content/msgHdrViewOverlay.js:471
messageHeaderSink.processHeaders@chrome://messenger/content/msgHdrViewOverlay.js:565

Source File: chrome://dkim_verifier/content/dkim.js
Line: 840

Header

DomainKey-Signature: a=rsa-sha1;
 c=nofws;
 s=sm2;
 d=moneysavingexpert.com;
 q=dns;
 b=CPQ3wVKKcV1QunaoGEF+AojaphS/pasmax4UXdLygNjDlRLiMoX1iOcGIiG5PGXEWdn20BJuqRkIN0iACy0nYKBFzMcFfE12VziTl9Hiho1f5iT2mmZdtc2ijqM6VbvegCkhNAd1oMkCICsd7fAs5R0G0mpp1QLtOLlWx5BFTQk=
DKIM-Signature: v=1; a=rsa-sha1; c=simple;
    d=moneysavingexpert.com; s=sm2; [email protected]; h=Content-Transfer-Encoding:
    Content-Type:Reply-To:MIME-Version:Message-ID:Subject:Date:To:
    From; bh=pjqBmVZ2upsptprW5M1vqT1n4Yg=; b=FfrICRBLP4w/EQx8UucBTky
    7tpPcNM7Z9YzmEmw165RlFmFjG+AwuqXipsOX4HWlEasoM3ydfU8t3oejH4xb5S3
    r3iGMkjm2azSvA80wPM8A/JE1c9R7k3YJMIO8stsvYN64wXxPk5I03Q4h5AtBrsp
    2E3RYyXkYvMAi+MGNzPw=

No matter of how I configure the add on, the verification indicator never changes from "verifying"... There are also NO DNS queries whatsoever related to DKIM DNS entries (using tcpdump and wireshark). The error console also does not show any useful log entries (besides "initialized" and "DB initialized").

Are there any know incompatibilities with other addons?

What about enclosing the links in the amo.properties files with <a href="...">...</a>?

When the compact headers add-on is enabled, the verification is not performed unless the email is opened in a separate window. In the normal layout (classic, wide, or vertical) the text "DKIM:" appears on the message bar at the bottom of the TBird window, but that is the only indication that the verifier add-on is even alive.

With the compact headers add-on disabled, the DKIM message appears in full at the bottom and the header is colored. However, the menu icon does not appear in the header.

If the message is opened in a new (separate) window, full functionality appears.

This error doesn't seem to cause any malfunction, except being reported as such. On the console, I get:

Error: 2015-11-04 13:09:55 DKIM_Verifier.AuthVerifier ERROR Error: Parsing error (resource://dkim_verifier/ARHParser.jsm:249:2) JS Stack trace: [email protected]:249:3 < [email protected]:186:2 < [email protected]:161:4 < [email protected]:161:4 < _authVerifier_verify/promise<@AuthVerifier.jsm:103:4

The offending header was:

Authentication-Results: authserv-id;
    dnswl=pass dns.zone=list.dnswl.org
    policy.ip=127.0.2.3
    policy.txt="example.com http://dnswl.org/s?s=2207"

By browsing, it seems to me the parser is compliant with RFC 5451. That is, it only accepts ptypes smtp|header|body|policy, throwing a syntax error if no match is found.

RFC 7410 relaxed that constrain and started an IANA registry. Yet, the above ptypes are missing from that registry as well. Courier-MTA sets them if configured to do so, but they are not documented (policy.ip is documented in https://www.dnswl.org/?page_id=15#returncodes). While coloring/linking dnswl data would be fancy, turning the error into a warning is certainly enough to fix this issue.

Emails sent to myself get an error: Invalid (Copied header fields tag ill-formed)
Investigating I foud this DEBUG in console:

DKIM_Verifier.Verifier  WARN DKIM_SIGERROR_ILLFORMED_Z: DKIM Signature Error: Copied header fields tag ill-formed (resource://dkim_verifier/helper.jsm:5) JS Stack trace: [email protected]:329:5 < [email protected]:636:7 < [email protected]:1133:5 < [email protected]:1320:7 < _authVerifier_verify/promise<@AuthVerifier.jsm:107:9

So it's the z= tag. Removing my personal information the z= tag from this email looks like

z=From:[email protected]|To:[email protected]|Subject:=20Het=2 0weer=20te=20Garnwerd=20in=20de=20maand=20maart=202015|Date:=20Thu ,=2019=20Mar=202015=2004:36:33=20+0100=20(CET); 

Examining the code with help from the backtrace from the DEBUG information I think the bug could be in the pattWSP regexp [ \t] in dkimVerifier.jsm:101 which is misrepresenting the whitespace in the z= tag becasue the space in the z= tag is converted to =20 which is the Unicode cahracter value of the space \u0020.

But I might be wrong ;)

I have noticed that every single mail I get from a person on GMail results in DKIM verifier displaying an error about "Wrong body hash". I can reproduce this perfectly with an own GMail account, too. I don't believe Google is doing anything wrong with their DKIM signature, so can you look into this?

I have added new Strings (see 93f2887, 2795ac6, 09a5b4d) and updated a few old ones (see 79dc088, 10007c9).

@mlocati @kryskool
Could you both please update the Italian and French Translation?
Thanks a lot.

• French
• Italian
• Chinese

Hi!
First of all, thank you for this addon!!

I'd like to see the DKIM/DMARC (auth) results in the message list view with, for example, an icon (none, red, white-green, green), like what 'authres_status' plugin does for Roundcube: https://github.com/pimlie/authres_status .

I have again added some strings, and changed one slightly. See 70ce8fd#diff-7b69be59776552af7277e8b4a6df2794 for that was changed.

@mlocati @kryskool
Could you both please update the Italian and French Translation?
Thanks a lot.

• French
• Italian
• Chinese

Hello,
an alternative (or additional) way to provide the DKIM verification result (along with SPF and DMARC) could be to parse an Authentication-Result header if one was inserted by a trusted source such as the host which email is being downloaded from.
An example A-R header inserted by Google:
Authentication-Results: mx.google.com;
spf=neutral (google.com: 216.145.54.173 is neither permitted nor denied by domain of [email protected]) smtp.mail=[email protected];
dkim=pass [email protected];
dmarc=pass (p=REJECT dis=NONE) header.from=yahoo-inc.com

Thanks for the quick fix for the CompactHeader compatibility.

Today I encountered another problem: The DKIM Verifier addon stops responding, while I'm trying to open an rss article from a subscribed feed. I get the error message, that the script chrome://dkim_verifier/content/dkim.js:222 is not responding.

I would like to propose the following enhancement. The new option could be called "Check for missing signature and unsuccessful verification for previously verified domains" or similar.

Background Information:

The majority of e-mails one receives these days do not apply a DKIM signature. Therefore, when receiving an e-mail without a DKIM signature, one does not know if it is a legitimate e-mail from a domain not using DKIM, or a spoofed one (spam, fishing, etc.). To be sure in authenticity of the received e-mail, one would need to look up an earlier e-mail from the same domain, to see whether it applies DKIM. And similarly with e-mains with not successfully verified From: domains (verified with warnings) - one would need to check if they have been correctly verified previously (in which case they may now be forged using an attackers signing domain, etc.).

Proposal:

It would be great if the DKIM Verifier add-on had an internal database of From: domains from which successfully verified e-mails have been received in the past. To be used as follows:

• When an e-mail is (completely) successfully verified (no warnings), it's From: domain is added to the internal database.
• From: domain of e-mails without a DKIM signature and of e-mails whose signature was not successfully verified (for whatever reason/warnings not resulting in a completely successful verification) are searched for in the database. And if found in the database, the user is notified using something like:
  • For e-mails without a DKIM signature: "DKIM signature missing for previously verified domain"
  • For not successfully verified e-mails: "DKIM verification failed for previously verified domain" (with respective warning triangle and tool tip showing the failure reasons)

The highlighting color could be the one of the "invalid signature", or a new dedicated one introduced (default: red).

This option would also require:

• A button (in the add-on configuration options) to delete the entire database content.
• An option (in the "Other Actions" drop-down menu where the "Re-verify DKIM Signature" already is): "Remove From domain from previously DKIM verified". This would be useful on rare occasions where a domain indeed abandons DKIM verification and would need to be removed from the database.

Hints for database files: On Firefox, the NoScript add-on uses a "NoScriptSTS.db" file (although ASCII), while the Certificate Patrol add-on uses a "CertPatrol.sqlite" file. Both in the profile directory.

What do you think of this?

Thoughts for future (out of scope of this enhancement proposal):
One more option for future could be "public key pinning" (i.e. storage of the public key and the selector per From: domain). That would be for the paranoid assuming being under an active MITM attack, with the MITM sending an e-mail to the recipient and spoofing their DNS requests. (Like the "Certificate Patrol" add-on does on Firefox, except that they use "certificate pinning" instead of just "public key pinning".) One could then (additionally to key and selector) also store the signing domain. Which would be useful for From: domains which use a signing domain different from the From: domain, but which are nevertheless legitimate. If one "pins" their signing domain down, one can trust them too. (One would possibly also need to be able to define exceptions for certain From: domains, if they use several legitimate keys/selectors/signing domains and therefore cannot be "pinned" down to just one. Like Google does with its website certificates.)

I've tested the Add-On (1.3.6) in Thunderbird (38.2.0) with an email with multiple signatures.

From the RFC:

A message can contain multiple signatures from the same or different organizations involved with the message.

The first signature gets correctly verified, but reports a warning ("From is not in Signing Domain"). The second one (below it) gets ignored, which is the one that does actually match the From domain.

Better would be a note "TESTING MODE"

The current version (2.1.1) of the DNSSEC validator no longer includes the same dlls as 2.0.1. I'm not clear which (if any) if the new DLLs have libunbound included.

split from #15
Joey3000:

One more option for future could be "public key pinning" (i.e. storage of the public key and the selector per From: domain). That would be for the paranoid assuming being under an active MITM attack, with the MITM sending an e-mail to the recipient and spoofing their DNS requests. (Like the "Certificate Patrol" add-on does on Firefox, except that they use "certificate pinning" instead of just "public key pinning".) One could then (additionally to key and selector) also store the signing domain. Which would be useful for From: domains which use a signing domain different from the From: domain, but which are nevertheless legitimate. If one "pins" their signing domain down, one can trust them too. (One would possibly also need to be able to define exceptions for certain From: domains, if they use several legitimate keys/selectors/signing domains and therefore cannot be "pinned" down to just one. Like Google does with its website certificates.)

Unfortunately this nice addon is not compatible with https://github.com/protz/GMail-Conversation-View/ .
I have to switch to standart-view in that addon to actually see the dkim verification status.
I hope that you and @protz can figure out a way to have the addons working alongside together

Hi again!
When applying DKIM/DMARC to lists servers (Mailman, for example), there is a new option to wrap original messages and attach them to a newly created one, so DKIM signatures are "chained". With this in mind, it would be great to have dkim_verifier parse the original attached/forwarded mail headers and show results to end user.

Again, the Roundcube DKIM verificator already does this: https://github.com/pimlie/authres_status

• I sign a mail with From: [email protected]
• dkim_verifier is configured to allow subdomains in SDID
• The public key is for d=example.com, but it doesn't have any t tlag, so subdomain signing is allowed.

But dkim_verifier claims that the From is not in domain of SDID. Is it correct to show this warn, even if the three points above are true?