Google, once again, is doing something unfortunate with DKIM (see earlier posts on related subjects). This one is a little less their fault, just unfortunate.
Specifically, Google Groups scan for spam and add a header to indicate which Group scanned for spam (perhaps they do this to avoid redundant spam scans?). This header is X-Spam-Checked-In-Group
. Once the email passes through the group and is distributed outside of Google (e.g. to Yahoo email addresses), they do the responsible thing and sign their email with a DKIM signature. This DKIM signature obeys all the rules, and includes in the signature the X-Spam-Checked-In-Group
header.
Now enter the recipient. If the recipient uses SpamAssassin to do their own spam filtering, something very unhelpful will happen. According to SpamAssassin’s documentation:
Note: before header modification and addition, all headers beginning with
X-Spam-
are removed to prevent spammer mischief and also to avoid potential problems caused by prior invocations of SpamAssassin.
Thus, SpamAssassin removes the header that Google added, and in so doing, invalidates the DKIM signature.
This is not a problem as long as one of the following is true:
- DKIM Validation is done before SpamAssassin filtering is done AND the email will not need to have that signature re-validate (e.g. it is not forwarded or retrieved by any other DKIM-aware system)
- SpamAssassin is not permitted to modify the content of the email (e.g. it is being used as a boolean test OR the headers it generates are being saved and applied to the email afterward)
However, there are lots of ways in which this may not be true. For example, some people forward their email on to other systems, or have their email fetched into other systems (e.g. via fetchmail or via Gmail’s POP3 fetching service).
The choice of header name is the unfortunate thing. If SpamAssassin had chosen to use X-SpamAssassin-
or some other more specific header prefix, or if Google had chosen a Google-specific prefix such as X-Gmail-Spam-Checked-In-Group
, this could all have been avoided. But… here we are.