Ah, but I was right for the wrong reasons, I also only now understand it fully. Thanks for the nice discussion.

phrase is 1*word, not word. The difference to obs-phrase is that it allows dots (“.”) and folding whitespace. Not that it allows whitespace.

In the same example, the Mary Smith is not the issue, rather the @machine.tld, as is written in the description.

John Q. Public is an issue because of the dot, not the spaces. The spaces are an issue in jdoe@test . example, as that’s actually an address, not a name

See here: https://gehirneimer.de/m/[email protected]/t/918726/-/comment/8449841

I had to think about this for a while, but the standard is only obsoleting folding white space, i.e. white space that wraps lines, such as:

Subject: This
 is a folded line

which is equivalent to

Subject: This is a folded line

As I understand it, white space is allowed before and after obsoletion. Or do I understand it wrong?

Edit:

I think in the obsoleted language the following would have been allowed for a From: field as well:

From: John
 Smith <j.smith@example.com>

The unquoted names with whitespace are legal, as stated in A.5: https://www.rfc-editor.org/rfc/rfc2822#appendix-A.5

The section of obsolete syntax in the appendix starts just below A.5., unfortunately.

I agree though, that a quoted string seems to be perfectly legal as well, so there is no good reason for google to change it.

Yes, it seems it does that. I assume it has some processing chain involving decode -> process -> encode of the whole mail, and usually that works out and the DKIM check passes. Apparantly, if you send something non-standard the decode and encode are not symmetrical and this happens. IMHO it shouldn’t, so I agree. Especially, showing users mails with broken authentication seems broken as well to me.

Usually, the important parts of the mail, such as subject, sender and contents are protected by DKIM authentication. Unfortunately this is usually not visible to the end-user, i.e. as in my case, where mails fail DKIM, but are still presented in my inbox.

Mail servers and relays add headers to the mail as it goes, for example their own IPs to trace the mail, or authentication results if authentication happens at various endpoints.

In the end, the mail as in the gmail postbox is the result of the original mail, and all these additions of the mail relays. In an ideal world only DKIM authenticated would be presented to the end-user, but the world of mail seems to be so broken, that many sending servers just do not apply DKIM/DMARC correctly, and thus many receivers accept broken mail.

Will play around with that and report back :)

I think it’s technically an encoding bug in lettre, which is used in matrix authentication services: https://github.com/lettre/lettre . As far as I can tell, exim is relaying the messages “correctly” or at least without altering them.

I.e. lettre should not add quotes for whitespace. But also google shouldn’t alter messages before authenticating. In an ideal world, both sides are fixed ^^

Yes, I’ve seen one other header change: gmail seems to (again sometimes?) enforce Message-ID fields in the header, and may add or change it if it doesn’t match it’s internal requirements. Interestingly, I’ve seen both my mailserver getting “rejected because missing message-id” messages, and messages passing to the mailbox, but with a google-added Message-ID in the raw source.

For my specific case of DKIM failures, I’ve not noticed other differences.

If I take the specific raw source from gmail, i.e. after processing by google, re-add the quotes, and manually check the DKIM signature, the signature passes. With other words, the quotes are literally the only relevant change in my case.

Ah interesting, I’m sending from my own domain and IP with DMARC set up to quarantine.

Yes, the mail server is accepting it because gmail accepts the mail if either SPF or DKIM passes (not AND). My observation is that google for some reason sometimes puts the mail into spam, and sometimes into the regular mailbox. In both cases the headers show dkim=fail and spf=pass and I have no idea why it’s not deterministic. I’ve also tested this with same/similar mail contents.

Edit: To be honest, I also don’t think that mail from my domain should be “sometimes” in the regular mailbox, if DKIM fails and DMARC has adkim=quarantine.