Apple Store receipt lost due to bad signature from Apple's misconfigured e-mail server
I run my own mail server. The mail server logs captured this failed attempt by Apple to send mail to me (my address is REDACTED@REDACTED.com):
Dec 31 15:16:37 milter-greylist: (unknown id): Sender IP 220.127.116.11 and address <firstname.lastname@example.org> are SPF-compliant, bypassing greylist
Dec 31 15:16:37 postfix/smtpd: B8D6F40133: client=mail-out21.apple.com[18.104.22.168]
Dec 31 15:16:38 postfix/cleanup: B8D6F40133: message-id=<1788176292.1483197395559.JavaMail.email@example.com>
Dec 31 15:16:38 opendkim: B8D6F40133: s=mailout2048s d=apple.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
Dec 31 15:16:38 opendkim: B8D6F40133: bad signature data
Dec 31 15:16:38 postfix/cleanup: B8D6F40133: milter-reject: END-OF-MESSAGE from mail-out21.apple.com[22.214.171.124]: 5.7.0 bad DKIM signature data; from=<firstname.lastname@example.org> to=<REDACTED@REDACTED.com> proto=ESMTP helo=<mail-in21.apple.com>
Dec 31 15:16:43 ip-172-31-32-215 postfix/smtpd: disconnect from mail-out21.apple.com[126.96.36.199] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
Timestamps are UTC.
Steps to Reproduce:
1. On 2016-12-31, at 10:15 Montreal Time, I bought something from the Sainte Catherine Apple Store.
2. I paid by credit card. When asked whether I wanted the receipt on paper or by e-mail, I said that e-mail was fine.
3. The e-mail bounced due to an invalid DKIM signature. (See http://dkim.org.)
DKIM signature should be valid, matching the published key for mailout2048s._domainkey.apple.com, which, at the time of this writing, is:
mailout2048s._domainkey.apple.com. 60 IN TXT "v=DKIM1;" "k=rsa;" "h=sha256;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4c/TfEpA3ry1fYjhKQl5" "pEZorCF66/9U3IBJLGv01Fxzj54jNfedegeafYCWiX8nBwSVcAs2MiQsJt2ZtND+" "Uuqag637yAw7VbmXiVkinU/QKSHy7+314VQWf1ic6RpnT6DfyHJk7tyOM3DiXKya" "1VrPDqHMau3KwW0M9wrxKe1GOQWtxryxconUUGylTL7ObaneqyyNBu4OYDtvH39K" "AxUys1S32lus2HutCb9/Ef9ztHEpthYh5+iNN4UvUwVGLqA3nJfHDG3AxSuBC01l" "6WQiOMVaZDCDGLGh9A01Nuy3I91v9xm7Q9Y1jLspfsRerBet1MGHfzYXX5roneGb" "MwIDAQAB"
Mail from Apple was rejected due to an invalid DKIM signature.
Since the mail was rejected, all I have as evidence of this transaction on 2016-12-31 is those few lines in my mail server log.
However, having discovered the problem, I also dug through my history and found a similar receipt from 2016-02-15, captured from a time when my server was not yet verifying DKIM signatures. (See attachment.) It also fails DKIM verification today — assuming that the DKIM key has not changed in the past year.
For comparison, I have attached another e-mail from 2016-02-21 for a Genius Bar appointment, whose signature is valid. It uses the "emailapple2048" DKIM selector instead of "mailout2048s".
A mail server that verifies DKIM signatures is likely to reject e-mailed receipts from Apple stores. Mail servers that don't verify DKIM signatures would deliver these invalid messages.
'dkim-success-example.eml' and 'dkim-failure-example.eml' were successfully uploaded.
Reports posted here will not necessarily be seen by Apple.
All problems should be submitted at bugreport.apple.com before they are posted here.
Please only post information for Radars that you have filed yourself, and please do
not include Apple confidential information in your posts. Thank you!