Why does DKIM verification succeed with a signature from Yahoo when all headers are spoofed to look like GMail?

Question

Today I got a scam e-mail which I decided to disect. I quickly found that it was sent from a GMail address (From, Reply-To, Return-Path) but that the mail itself came from Yahoo.

• HELO from Yahoo
• Received from IP maps both forward and reverse
• Mail has valid DKIM signature for yahoo.com
• Mail soft-fails GMail SPF because a Yahoo-owned IP is not part of it

I've piped the mail through opendkim-testmsg, which tells me the message is fine.

I'm really confused by all of this. Of course anyone can technically sign any email using DKIM for their own domain, even if it doesn't match any of the domains used in the mail. But why would Yahoo do this? And why doesn't OpenDKIM indicate that there's something phishy about this mail, even though the Return-Path domain and the DKIM domain don't match?

By popular request, some e-mail headers. Please note that this e-mail has been through a corporate mail washing service, Exchange and I stripped a lot of identifying data. The DKIM signature for the header portion still matches, though. I've omitted the body, but it also validates.

Received-SPF: softfail (MYMX: transitioning domain of gmail.com does not designate 87.248.110.97 as permitted sender) client-ip=87.248.110.97; envelope-from=helenslomonn@gmail.com; helo=sonic302-34.consmr.mail.ir2.yahoo.com;
Received: from sonic302-34.consmr.mail.ir2.yahoo.com ([87.248.110.97])
    by MYMX with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
    (envelope-from <helenslomonn@gmail.com>)
    for MYNAME@MYDOMAIN; Wed, 28 Feb 2018 05:03:02 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1519822976; bh=35/Syp7oOntp7GfGR2tdK316KBE4uAxZC5lOM//DYjg=; h=Date:From:Reply-To:Subject:References:From:Subject; b=KvnuAmNY1sujXiLsVnNqOJzF3MFxu/jY93zu5QKtbWRy9nMOhomUrZ+398oRwLC0P0RAkCbOj5a2x5JZtrZG4/71RKmHD/ftzOJI2goX2A4KaWrsczH4RsR/kfvpmz0jNRF4nxZONN4a5NKLavt6WPG7yWokVrGh2n/zUZPiFFv8kZL0uNPdIyCC94OiBh0c6GlSRpmTe0GbTQmbDgXZ+8nf7O5kiWpALbpSBHJ22QmdFhLLQWS18xZhl/AwprHFV+txsWtat02ldjYUmoGKhXNmTcWHDLPw7n5uyKXwsaOuX1uXSLzaWUgpnrD/v/FonebJoo1qkcnZoziov6TJmw==
X-YMail-OSG: dOZOfQ0VM1lyzg2OUT1yoveGRURYm6FHV_CU8qWTCRbr8jkKD_gBSwprVT5nSNr
 oxL32bI8ge8m_n_BDyDXFKnfZTDdFMGUPxFQt8bl2TLbWIC72.HGgEg6S8trxoSkeYLsPM8tUIhL
 XPCdlp3sNlz4quLJyyJznVo55S3vYeLt5fYSOqw2kJtOvf3l.puohOlVCc5WBZO1lp82MLbBi0rq
 0tCsbA3xDFW8_3JsxoJGinZ8fn0BBoqUfkfFdGv7UyoM94wlv4_GWYAQwIzicSQsC5od.fBm1lM_
 zSZlsV9hfeDUkwDyQiAmFq5rCUJ.3N7Lu9IKZTwnKjWvRFNudXOkEEJwW7Dg0eRNCBx.N2c.52Bi
 dfwYepO_0jqL.vF19srHCbj6PrUQjFYiIzaauD.m9IdfE692oG6o9B.w20VkMLmTcxjBKg7NC1pk
 6mWavSA7yHndoNrMfcB.liBw3XSLggRvPH60M
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ir2.yahoo.com with HTTP; Wed, 28 Feb 2018 13:02:56 +0000
Date: Wed, 28 Feb 2018 13:02:52 +0000 (UTC)
From: hs <helenslomonn@gmail.com>
Reply-To: hs <helensslomonn@gmail.com>
Message-ID: <909434698.11100734.1519822972957@mail.yahoo.com>
Subject: MRS.HELEN SOLOMON FUNDS TRANSFER ASSISTANCE.
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
References: <909434698.11100734.1519822972957.ref@mail.yahoo.com>
To: Undisclosed recipients:;
Return-Path: helenslomonn@gmail.com
MIME-Version: 1.0

Answer 1

Can't be sure without seeing the headers, but my guess is that from/reply-to/return-path are all spoofed and just handed in by the attacker as part of the SMTP transaction. As you said, the HELO is from yahoo, and it is yahoo which signed it. Yahoo isn't attesting to the value(s) of any of the headers in the transaction, just that it was injected into a yahoo server, which then dutifully DKIM-signed it, on behalf of yahoo, and off it went.

As to why OpenDKIM doesn't indicate phishy-ness when Return-Path and DKIM domain don't match, that would be a question/bug-report for the OpenDKIM folks to answer. Again, my guess is that it's only checking the domain of the MTA sender, against the DKIM signature, which will match.

I agree that seems to be a bug.

Answer 2

All DKIM does is say that certain parts of the message were not altered between the signing outbound SMTP server and the client (in this case, DKIM signed the body and several headers as identified by the b and h keys in the DKIM-Signature header).

Integrity ≠ Authority ≠ Safety

Integrity: These items being signed merely ensures they are not meddled with between the sending relay and the final recipient (you). A verified match on the signatures will prove only that the server saw the same content that you do.

✅ This message with valid DKIM has integrity, so you see it as its sender intended.

Authority: DMARC (and SPF) can determine whether the message was approved by the domain in question (gmail.com). SPF lists mail servers allowed to send for the given domain and DMARC describes policies to be followed if the message lacks aligned SPF or DKIM. (Alignment means the From header matches the enveolope mail from (for SPF) or the DKIM-Signature header's d key (DKIM). It can be "strict" for exact host matches or else "relaxed" for organizational domain matches.)

DKIM's d=yahoo.com doesn't align with the From's @gmail.com, so that does not pass DMARC. SPF fails (Yahoo's infrastructure is not permitted by GMail) … and isn't aligned anyway.

❌ This message lacks valid + aligned DKIM or SPF, so it is not authorized.
      _{… Though the DMARC policy (p=none) does not dictate an action, so it was delivered to you.}

Safety is something that servers have little control over. If a user gets compromised (or was malicious to begin with), the account can be used to send signed spam. Most outbound mail relays, especially the free ones like Yahoo and GMail, have outbound spam detection capabilities, but all spam detection systems have hits and misses, and most (especially for outbound) err on the side of delivery (allow malicious mail through as false negatives rather than trapping legitimate mail as false positives).

⚠️ DKIM, SPF, and DMARC do not judge content safety, just integrity and authority.

Answer 3

I hope that I am cutting to the heart of the question as it is now expressed.

DKIM is not meant to verify that the envelope contents are accurate to their domain. DKIM authorises the email and the receiver uses the DKIM protocol to verify that the email was authorised to be sent from the mailer recorded in the envelope.

From the RFC:

DKIM allows an organization to take responsibility for transmitting a message, in a way that can be verified by a recipient.

This allows an intermediary to sign and authorise the sending of the email and for an emailer to send on behalf of other domains.

So, in your instance, someone crafted a spoofed sender, but used the Yahoo email client and mailer to send out. SPF fails (as it should) but the DKIM protocol does exactly what it is supposed to: it signs the envelope and the mailer sends it out as a legitimate email sent from its systems. The receiver can see that the mail was authorised to be sent by the Yahoo mailer and not modified in transit, thanks to DKIM.

So, yes, what you see in your header is possible, yet completely valid, according to the DKIM protocol. The sender does not verify; it authorises.

What's the point of DKIM, then? DKIM is useful in many ways, including preventing manipulation in transit, but also to prevent a custom email server that is configured to spoof a legitimate emailer. For instance, if I craft an email server and configure all envelopes to state that the emailer is Yahoo. DKIM ensures that when the receiver gets the email, the IP and domains and signatures do not match.

DKIM has a very narrow and specific use case. That use case is very helpful but has known limitations, like this one. That's why the recommendation is to combine SPF, DKIM, and DMARC. DMARC is the protocol that tells the receiver what to do when SPF fails (like it did) but DMARC passes. DMARC ties the protocols together and together the policy can be crafted that would have rejected this email on your system.