Version:
OpenDKIM version - 2.11.0~beta2-8+deb12u1
Distro - Debian 12 (bookworm)
Relevant Config:
AlwaysAddARHeader - true
SoftwareHeader - true
WeaksyntaxChecks - true/false, same result either way
Issue:
If OpenDKIM tries to verify mail with a malformed signature (such as "DKIM-Signature: eeee"), it will give a syntax error and accept/reject the mail based off of the "On-BadSignature" option. This is expected, however, if the mail is accepted, no authentication header or software header will be added, even if these options are set.
Other:
From my understanding, one purpose of having the option to always add an authentication header or software header is to make it easier to distinguish between mail that was processed by OpenDKIM and failed, and mail that was not processed in the first place. In my case, I am using it to distinguish between local mail that doesn't need to be signed/verified and external mail that does for a Sieve filter. So, I see this as an issue, as it treats mail which failed a DKIM test the same as mail which was never subject to one. My reasoning is the same as the reasoning in this issue.
However, this might be a non-issue. There might be a reason why OpenDKIM should not or cannot add these headers in such an error which I am not aware of. In that case there are possible workarounds for users like me. Because of the Lua scripting support, you can actually fix this with a minimum of one line (something like odkin.add_header(ctx, "X-dkim-checked", "yes") if you just want to see if the mail was processed), so I guess the real question here is whether or not it's better to have the auth/software headers added on syntax errors by default or to just let users who want that behavior to configure such a workaround. Ideally the former would be implemented, since it would line up with the stance in the sourceforge issue that mail which can't be properly checked still deserves an auth header, but the latter is easier (and such behaviour may only be desired by a small niche).
Version:
OpenDKIM version - 2.11.0~beta2-8+deb12u1
Distro - Debian 12 (bookworm)
Relevant Config:
AlwaysAddARHeader - true
SoftwareHeader - true
WeaksyntaxChecks - true/false, same result either way
Issue:
If OpenDKIM tries to verify mail with a malformed signature (such as "DKIM-Signature: eeee"), it will give a syntax error and accept/reject the mail based off of the "On-BadSignature" option. This is expected, however, if the mail is accepted, no authentication header or software header will be added, even if these options are set.
Other:
From my understanding, one purpose of having the option to always add an authentication header or software header is to make it easier to distinguish between mail that was processed by OpenDKIM and failed, and mail that was not processed in the first place. In my case, I am using it to distinguish between local mail that doesn't need to be signed/verified and external mail that does for a Sieve filter. So, I see this as an issue, as it treats mail which failed a DKIM test the same as mail which was never subject to one. My reasoning is the same as the reasoning in this issue.
However, this might be a non-issue. There might be a reason why OpenDKIM should not or cannot add these headers in such an error which I am not aware of. In that case there are possible workarounds for users like me. Because of the Lua scripting support, you can actually fix this with a minimum of one line (something like
odkin.add_header(ctx, "X-dkim-checked", "yes")if you just want to see if the mail was processed), so I guess the real question here is whether or not it's better to have the auth/software headers added on syntax errors by default or to just let users who want that behavior to configure such a workaround. Ideally the former would be implemented, since it would line up with the stance in the sourceforge issue that mail which can't be properly checked still deserves an auth header, but the latter is easier (and such behaviour may only be desired by a small niche).