« Noodler Black Inks | Main | Fantastical 2 vs BusyCal »

Google, DKIM, and SpamAssassin

Google, once again, is doing something unfortunate with DKIM (see earlier posts on related subjects). This one is a little less their fault, just unfortunate.

Specifically, Google Groups scan for spam and add a header to indicate which Group scanned for spam (perhaps they do this to avoid redundant spam scans?). This header is X-Spam-Checked-In-Group. Once the email passes through the group and is distributed outside of Google (e.g. to Yahoo email addresses), they do the responsible thing and sign their email with a DKIM signature. This DKIM signature obeys all the rules, and includes in the signature the X-Spam-Checked-In-Group header.

Now enter the recipient. If the recipient uses SpamAssassin to do their own spam filtering, something very unhelpful will happen. According to SpamAssassin’s documentation:

Note: before header modification and addition, all headers beginning with X-Spam- are removed to prevent spammer mischief and also to avoid potential problems caused by prior invocations of SpamAssassin.

Thus, SpamAssassin removes the header that Google added, and in so doing, invalidates the DKIM signature.

This is not a problem as long as one of the following is true:

  • DKIM Validation is done before SpamAssassin filtering is done AND the email will not need to have that signature re-validate (e.g. it is not forwarded or retrieved by any other DKIM-aware system)
  • SpamAssassin is not permitted to modify the content of the email (e.g. it is being used as a boolean test OR the headers it generates are being saved and applied to the email afterward)

However, there are lots of ways in which this may not be true. For example, some people forward their email on to other systems, or have their email fetched into other systems (e.g. via fetchmail or via Gmail’s POP3 fetching service).

The choice of header name is the unfortunate thing. If SpamAssassin had chosen to use X-SpamAssassin- or some other more specific header prefix, or if Google had chosen a Google-specific prefix such as X-Gmail-Spam-Checked-In-Group, this could all have been avoided. But… here we are.

TrackBack

TrackBack URL for this entry:
https://www.we-be-smart.org/mt/mt-tb.cgi/792

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About

This page contains a single entry from the blog posted on October 26, 2016 8:47 AM.

The previous post in this blog was Noodler Black Inks.

The next post in this blog is Fantastical 2 vs BusyCal.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.34