starred/dkim-exchange-Pro
1
0
Fork 0
mirror of https://github.com/Pro/dkim-exchange.git synced 2026-04-25 17:05:55 +03:00
Code Issues 4 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #99] Signer doesn't sign NDR with emtpy FromAddress #76

New issue
Closed
opened 2026-02-26 10:35:40 +03:00 by kerem · 10 comments
kerem commented 2026-02-26 10:35:40 +03:00
Owner
Copy link

Originally created by @mr-flibble on GitHub (Oct 8, 2015).
Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/99

Hello, my DKIM signing is working fine, but i noticed strange Warning in Application event log from source Exchange DKIM:
Invalid from address: '<>'. Not signing email.

I have about one hundred of these events every day. (With log level Warning)

dkimproblemlog

With debug event level enablet I get these events :
CSV here http://pastebin.com/Xv6MPPSw

Level   Date and Time   Source  Event ID    Task Category
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: DkimSigner initiallized
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: DkimSigner initiallized
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: DkimSigner initiallized
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: DkimSigner initiallized
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Initializing DkimSigner
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Initializing DkimSigner
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Initializing DkimSigner
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Initializing DkimSigner
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Got new message, checking if I can sign it...
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Message is a System message or of TNEF format. Not signing.
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Got new message, checking if I can sign it...
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Message is a System message or of TNEF format. Not signing.
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Got new message, checking if I can sign it...
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Message is a System message or of TNEF format. Not signing.
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: No entry found in config for domain 'contoso.com'
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Got new message, checking if I can sign it...
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Got new message, checking if I can sign it...
Warning 8. 10. 2015 12:36:47    Exchange DKIM   0   None    Invalid from address: '<>'. Not signing email.
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: Got new message, checking if I can sign it...
Information 8. 10. 2015 12:36:47    Exchange DKIM   0   None    DEBUG: No entry found in config for domain 'acprofin.cz'

I have :
Exchange 2013 CU7 (15.0.1044.25)
2012 R2
DKIM signer 2.1.4

Please do not know where is the problem? Thank you.

Originally created by @mr-flibble on GitHub (Oct 8, 2015). Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/99 Hello, my DKIM signing is working fine, but i noticed strange Warning in Application event log from source Exchange DKIM: Invalid from address: '<>'. Not signing email. I have about one hundred of these events every day. (With log level Warning) ![dkimproblemlog](https://cloud.githubusercontent.com/assets/5197625/10364295/6a943f12-6dba-11e5-9b55-5896898eb087.png) With debug event level enablet I get these events : CSV here http://pastebin.com/Xv6MPPSw ``` Level Date and Time Source Event ID Task Category Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1 Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1 Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1 Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: DkimSigner initiallized Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: DkimSigner initiallized Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: DkimSigner initiallized Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: DkimSigner initiallized Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None Exchange DKIM settings loaded: RsaSha1, Canonicalization Header Algorithm: Relaxed, Canonicalization Body Algorithm: Relaxed, Number of domains: 1 Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Initializing DkimSigner Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Initializing DkimSigner Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Initializing DkimSigner Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Initializing DkimSigner Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Got new message, checking if I can sign it... Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Message is a System message or of TNEF format. Not signing. Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Got new message, checking if I can sign it... Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Message is a System message or of TNEF format. Not signing. Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Got new message, checking if I can sign it... Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Message is a System message or of TNEF format. Not signing. Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: No entry found in config for domain 'contoso.com' Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Got new message, checking if I can sign it... Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Got new message, checking if I can sign it... Warning 8. 10. 2015 12:36:47 Exchange DKIM 0 None Invalid from address: '<>'. Not signing email. Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: Got new message, checking if I can sign it... Information 8. 10. 2015 12:36:47 Exchange DKIM 0 None DEBUG: No entry found in config for domain 'acprofin.cz' ``` I have : Exchange 2013 CU7 (15.0.1044.25) 2012 R2 DKIM signer 2.1.4 Please do not know where is the problem? Thank you.
kerem 2026-02-26 10:35:40 +03:00
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Oct 8, 2015):

It seems that your server is sending E-Mails where no From address is set, therefore you get this error (see github.com/Pro/dkim-exchange@9deeca73ab/Src/Exchange.DkimSigner/DkimSigningRoutingAgent.cs (L142))

Can you use the MS Exchange Toolbox to see if the E-Mails corresponding to the given Event Log time are valid?

<!-- gh-comment-id:146514603 --> @Pro commented on GitHub (Oct 8, 2015): It seems that your server is sending E-Mails where no From address is set, therefore you get this error (see https://github.com/Pro/dkim-exchange/blob/9deeca73ab016097a4a3aadd91b234315266d2c6/Src/Exchange.DkimSigner/DkimSigningRoutingAgent.cs#L142) Can you use the MS Exchange Toolbox to see if the E-Mails corresponding to the given Event Log time are valid?
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@mr-flibble commented on GitHub (Oct 8, 2015):

you're right! There are some undeliverable mesages

dkim_spamy

Unfortunately I can not find how to avoid them anywhere. Maybe it could be related to the quarantine mailbox where messages come even to nonexistent recipients.
On the other hand "BlankSenderBlockingEnabled" , is enabled

do you have a clue? Thank you.

<!-- gh-comment-id:146549232 --> @mr-flibble commented on GitHub (Oct 8, 2015): you're right! There are some undeliverable mesages ![dkim_spamy](https://cloud.githubusercontent.com/assets/5197625/10366710/82024ace-6dcc-11e5-9219-977791f1eecf.png) Unfortunately I can not find how to avoid them anywhere. Maybe it could be related to the quarantine mailbox where messages come even to nonexistent recipients. On the other hand "BlankSenderBlockingEnabled" , is enabled do you have a clue? Thank you.
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Oct 8, 2015):

To me it looks like your server isn't configured properly which has nothing to do with DKIM signer.
Unfortunately I can't help you with that.
The indicated source IP "255.255.255.255" is also a bit strange.

Maybe googling helps you further.

<!-- gh-comment-id:146552063 --> @Pro commented on GitHub (Oct 8, 2015): To me it looks like your server isn't configured properly which has nothing to do with DKIM signer. Unfortunately I can't help you with that. The indicated source IP "255.255.255.255" is also a bit strange. Maybe googling helps you further.
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@Zuz666 commented on GitHub (Oct 8, 2015):

Hi.
I have same issue with automatic responses. Message Tracker show only a "Return-Path" as "<>"., but "Sender" and "Recipients" is a valid e-mail addresses.
With Exchange Server 2010 (and 2007’s latest Service Pack) Microsoft has changed the behavior of automatic server based notifications, especially “Out of Office” replies to rely on RFC 2298. As per RFC 2298 Message Disposition Notification (MDN) messages should be sent with a blank sender. The OOF reply messages are Message Disposition Notifications. This means that the HUB Server replaces the senders name with a blank one while transferring it to the internet.

And now we get warnings like this: "Invalid from address: '<>'. Not signing email" from that code.

Whether there is a workaround?

Thank you.

<!-- gh-comment-id:146631724 --> @Zuz666 commented on GitHub (Oct 8, 2015): Hi. I have same issue with automatic responses. Message Tracker show only a "Return-Path" as "<>"., but "Sender" and "Recipients" is a valid e-mail addresses. With Exchange Server 2010 (and 2007’s latest Service Pack) Microsoft has changed the behavior of automatic server based notifications, especially “Out of Office” replies to rely on RFC 2298. As per RFC 2298 Message Disposition Notification (MDN) messages should be sent with a blank sender. The OOF reply messages are Message Disposition Notifications. This means that the HUB Server replaces the senders name with a blank one while transferring it to the internet. And now we get warnings like this: "Invalid from address: '<>'. Not signing email" from [that](https://github.com/Pro/dkim-exchange/blob/9deeca73ab016097a4a3aadd91b234315266d2c6/Src/Exchange.DkimSigner/DkimSigningRoutingAgent.cs#L144) code. Whether there is a workaround? Thank you.
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Oct 8, 2015):

Thanks for the info.
I could add a check to see if the from address is empty. if it is, then the message will be simply ignored and no warning message will be shown...

<!-- gh-comment-id:146637876 --> @Pro commented on GitHub (Oct 8, 2015): Thanks for the info. I could add a check to see if the from address is empty. if it is, then the message will be simply ignored and no warning message will be shown...
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@AlexLaroche commented on GitHub (Oct 27, 2015):

Could we just comment that part? (DkimSigningRoutingAgent.cs line 141-147)
Are remove the expression "mailItem.FromAddress.DomainPart == null" from the check?

    /* Check if we have a valid From address */
    if (!mailItem.FromAddress.IsValid || mailItem.FromAddress.DomainPart == null)
    {
        Logger.LogWarning("Invalid from address: '" + mailItem.FromAddress + "'. Not signing email.");
        return;
    }
<!-- gh-comment-id:151665769 --> @AlexLaroche commented on GitHub (Oct 27, 2015): Could we just comment that part? (DkimSigningRoutingAgent.cs line 141-147) Are remove the expression "mailItem.FromAddress.DomainPart == null" from the check? ``` /* Check if we have a valid From address */ if (!mailItem.FromAddress.IsValid || mailItem.FromAddress.DomainPart == null) { Logger.LogWarning("Invalid from address: '" + mailItem.FromAddress + "'. Not signing email."); return; } ```
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Oct 28, 2015):

@AlexLaroche I think the best solution for this is to comment out the Logger.LogWarning and keep the rest of the check, so that DKIM Signer silently ignores emtpy from addresses?

<!-- gh-comment-id:151754383 --> @Pro commented on GitHub (Oct 28, 2015): @AlexLaroche I think the best solution for this is to comment out the `Logger.LogWarning` and keep the rest of the check, so that DKIM Signer silently ignores emtpy from addresses?
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@InfoStroy commented on GitHub (Oct 30, 2015):

@Pro The real problem is we have to sign all outgoing messages to implement DMARC policy like reject or quarantine. All DSNs and MDNs (aka Return receipts) have to be signed.

For MDNs (RFC 3798) - page 8

The From field of the message header of the MDN MUST contain the
address of the person for whom the message disposition notification
is being issued.

The envelope sender address (i.e., SMTP MAIL FROM) of the MDN MUST be
null (<>), specifying that no Delivery Status Notification messages
or other messages indicating successful or unsuccessful delivery are
to be sent in response to an MDN.

For DSNs (RFC 3461) - page 19

6.1 SMTP Envelope to be used with Delivery Status Notifications

The DSN sender address (in the SMTP MAIL command) MUST be a null
reverse-path ("<>"), as required by section 5.3.3 of [11]. The DSN
recipient address (in the RCPT command) is copied from the MAIL
command which accompanied the message for which the DSN is being
issued.

<!-- gh-comment-id:152513542 --> @InfoStroy commented on GitHub (Oct 30, 2015): @Pro The real problem is we have to sign all outgoing messages to implement DMARC policy like reject or quarantine. All DSNs and MDNs (aka Return receipts) have to be signed. [For MDNs (RFC 3798) - page 8 ](https://tools.ietf.org/html/rfc3798#page-8) > The From field of the message header of the MDN MUST contain the > address of the person for whom the message disposition notification > is being issued. > > The envelope sender address (i.e., SMTP MAIL FROM) of the MDN MUST be > null (<>), specifying that no Delivery Status Notification messages > or other messages indicating successful or unsuccessful delivery are > to be sent in response to an MDN. [For DSNs (RFC 3461) - page 19](http://tools.ietf.org/html/rfc3461#page-19) > 6.1 SMTP Envelope to be used with Delivery Status Notifications > > The DSN sender address (in the SMTP MAIL command) MUST be a null > reverse-path ("<>"), as required by section 5.3.3 of [11]. The DSN > recipient address (in the RCPT command) is copied from the MAIL > command which accompanied the message for which the DSN is being > issued.
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Oct 30, 2015):

@InfoStroy thanks for the info!
So this means that we also need to sign outgoing mails which have an empty from address.

This leads to the problem on how to detect the from domain part correctly to select the correct signing key. Currently this is done using the DomainPart of the FromAddress.

I need to check if it is stored somewhere in one of the headers

<!-- gh-comment-id:152534428 --> @Pro commented on GitHub (Oct 30, 2015): @InfoStroy thanks for the info! So this means that we also need to sign outgoing mails which have an empty from address. This leads to the problem on how to detect the from domain part correctly to select the correct signing key. Currently this is done using the DomainPart of the FromAddress. I need to check if it is stored somewhere in one of the headers
kerem commented 2026-02-26 10:35:41 +03:00
Author
Owner
Copy link

@Zuz666 commented on GitHub (Oct 30, 2015):

@InfoStroy thank you for your interest in the issue! You're right.
@Pro perhaps in this case it is necessary to use mailItem.Message.EmailMessage.Sender property (only when mailItem.FromAddress.DomainPart == null)

<!-- gh-comment-id:152602609 --> @Zuz666 commented on GitHub (Oct 30, 2015): @InfoStroy thank you for your interest in the issue! You're right. @Pro perhaps in this case it is necessary to use mailItem.Message.EmailMessage.Sender property (only when mailItem.FromAddress.DomainPart == null)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/nuget/Src/Configuration.DkimSigner/MimeKit-4.7.1
Ed25519-SHA256
feature/dkim-verify
coverity_scan
v3.4.1.2
v3.4.2
v3.4.1.1
v3.4.1
v3.4.0
v3.3.4
v3.3.3
v3.3.2
v3.3.1
v3.2.9
v3.2.8
v3.2.7
3.2.6
v3.2.5
v3.2.4
v3.2.4-alpha
v3.2.3.1
v3.2.3
v3.2.2
v3.2.0
v3.1.0
v3.0.13
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v3.0.0-beta.2
v3.0.0-beta
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.5-beta.2
v2.1.5-beta
v2.1.4
v2.1.3
v.2.1.2
v2.1.1
v2.1.0
v2.0.3
v2.0.2
v2.0.1
v2.0.0-beta.4
v2.0.0-rc.1
v2.0.0-beta.3
v2.0.0-beta.2
v2.0.0-beta
v2.0.0-alpha.1
v2.0.0-alpha
v1.8.3
1.8.2
v1.8.1
v1.8.0
v1.7.0
v1.6.0
v1.5.2
Labels
Clear labels   
agent

   
agent

   
bug

   
bug

   
enhancement

   
gui

   
invalid

   
need-info

   
question

   
wontfix
No labels
agent
agent
bug
bug
enhancement
gui
invalid
need-info
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/dkim-exchange-Pro#76
No description provided.