Describe the bug
When an email includes multiple DKIM signatures with the same canonicalisation algorithm but different l= tag values then only the first signature passes and the following ones fail.
Main problem that occurs is that some DMARC checks fail. If the sender has signed the email with a l= tag and intermediate MTA adds another signature using the same canonicalisation but without l= then Rspamd validates the non-aligning signature from the MTA but fails the aligning signature from the sender and thus also fails DMARC.
Expected behavior
Rspamd correctly validates both signatures.
rspamd --version
Rspamd daemon version 2.6
l tag is brain damaged by design. I was very reluctant to support it as there are almost no good reasons for it to exists.
Yeah, I agree, I was super surprised to see that someone (a large company) actually uses it.
It should work now :)
Awesome, we'll try it out!
I built rspamd from sources and can confirm that all my test emails now have a passing DKIM/DMARC. Thank you!