Errors when DKIM-Signature: contains UTF-8 (Apple, Oracle, IBM, Meta)

[hlein]

opendkim errors when DKIM-Signature: headers contain UTF-encoded strings:

May 27 20:40:08 marc1 opendkim[13384]: E5ED79C600B0: syntax error: syntax error in \
    signature data (ASCII 0x3d at offset 1)
May 27 20:40:12 marc1 opendkim[13384]: 0C5509C600B0: syntax error: syntax error in \
    signature data (ASCII 0x3d at offset 3)
May 27 20:40:35 marc1 opendkim[13384]: 149A89C600B0: syntax error: syntax error in \
    signature data (ASCII 0x3d at offset 1)

Here's the header from one of those:

DKIM-Signature: =?UTF-8?Q?v=3D1;_a=3Drsa-sha256;_c=3Drelaxed/relaxed;_d=3Doracle.com;_h?=
 =?UTF-8?Q?=3Dcc:content-transfer-encoding:content-type:date:from:in-reply?=
 =?UTF-8?Q?-to:message-id:mime-version:references:subject:to;_s=3Dcorp-202?=
 =?UTF-8?Q?3-11-20;_bh=3DMJ63BXRqcRI5/Zucr20VFUaB4J75kGKHLO/sXoQkibU=3D;_b?=
 =?UTF-8?Q?=3DQodZoF4RICOTovBa94ZGR2+FkiJGbWczNGp9S9qCXmYiblhY5fRmSUI2KLaA?=
 =?UTF-8?Q?UMBwzAzO_Kp/45t1T2+GTfCq5SFnvvtMahpZTYu8f58zgBZinynTIbroZQ4T6Jp?=
 =?UTF-8?Q?nOo0ZZUoOn2Pss_iGmL/H4oZeyPgUfAXDZEwlD2jP02GwasKihSpTO37T+/6XRL?=
 =?UTF-8?Q?VBC1kwS/jIOqHUs4bKP+_KHC1Kb5+2nLYwPk9wm6wxnDGC2NHjb02JJgN6gmyxW?=
 =?UTF-8?Q?pquyZiVWMsS/Wb+7Sd+remCwhk_4YeBE3oRbv9M8CSSj9vZKSKctnrBspk9g/0V?=
 =?UTF-8?Q?b0wxaBCHR1Qz/c/6d+Sn8nafEjg6Ts00_1A=3D=3D_?=

I had only noticed plain ASCII DKIM-Signature: values, but maybe it's permitted? In https://datatracker.ietf.org/doc/html/rfc6376#section-3.2:

[3.2]. Tag=Value Lists

   DKIM uses a simple "tag=value" syntax in several contexts, including
   in messages and domain signature records.
...
      INFORMATIVE IMPLEMENTATION NOTE: Although the "plain text" defined
      below (as "tag-value") only includes 7-bit characters, an
      implementation that wished to anticipate future standards would be
      advised not to preclude the use of UTF-8-encoded ([RFC3629]) text
      in tag=value lists.

So it would be nice if opendkim supported these, or if not, recognized the =?charset?Q? syntax and gave a more specific error message.

Some quick stats for MARC:

• From a corpus of 224,820 emails from the last couple weeks,
• 240,893 DKIM-Signature: lines (yes some have multi)
• 816 of those had =?UTF-8?Q?... sequences

Top d= mentioned:

egrep -A2 '^DKIM-Signature:' * | sed -E -n 's/.*d=3D([^;]+);.*/\1/p' | sort | uniq -c | sort -rn
    713 webkit.org
     51 oracle.com
     50 ibm.com
      2 meta.com

Where webkit.org runs off of apple.com mailservers. It seems they started emitting UTF8 DKIM-Signature: values around 2024-05-23, IBM and Oracle both around 2024-05-25, first seen from Meta on 2024-05-27. Common thread, all four use ProofPoint in some way or another (pphosted.com, and/or have X-Proofpoint-... headers). So maybe PP rolled out an update or config change that started doing this.

[futatuki]

As far as I read RFC 2047 and RFC 6376, as a body field of DKIM-Signature: header is not defined as '*text' and does not contain any phrase , encoded-word cannot be used with in it (RFC 2047 section 5 (1)-(3)).

It seems the phrase "UTF-8-encoded([RFC3629])text" in the quote above does not point encoded-word in RFC2047, but points an encoding mapping Unicode character into octet stream.

So I think those DKIM-Signature: headers are broken.

[hlein]

So I think those DKIM-Signature: headers are broken.

They might be, but I think OpenDKIM needs to handle them anyway. ...Do you think we have much chance convincing Apple, Oracle, IBM, Meta to change their ways?

[futatuki]

...Do you think we have much chance convincing Apple, Oracle, IBM, Meta to change their ways?

Probably no in directly, but it is enough to reject mails like those if they don't pass domain verification because of those broken DKIM-Signature, regardless of that they really come from those domains or not. webkit.org, ibm.com, meta.com declare DMARC policy as 'reject' and oracle.com does as 'quarantine'. Otherwise what is the mean of existence of RFC standards?