Apple Store receipt lost due to bad signature from Apple's misconfigured e-mail server

Number:rdar://29869703 Date Originated:2017-01-04
Status:Open Resolved:
Product:Other Product Version:
Classification: Reproducible:Always
I run my own mail server.  The mail server logs captured this failed attempt by Apple to send mail to me (my address is

Dec 31 15:16:37 milter-greylist: (unknown id): Sender IP and address <> are SPF-compliant, bypassing greylist
Dec 31 15:16:37 postfix/smtpd[24117]: B8D6F40133:[]
Dec 31 15:16:38 postfix/cleanup[24121]: B8D6F40133: message-id=<>
Dec 31 15:16:38 opendkim[1322]: B8D6F40133: s=mailout2048s SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
Dec 31 15:16:38 opendkim[1322]: B8D6F40133: bad signature data
Dec 31 15:16:38 postfix/cleanup[24121]: B8D6F40133: milter-reject: END-OF-MESSAGE from[]: 5.7.0 bad DKIM signature data; from=<> to=<> proto=ESMTP helo=<>
Dec 31 15:16:43 ip-172-31-32-215 postfix/smtpd[24117]: disconnect from[] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7

Timestamps are UTC.

Steps to Reproduce:
1. On 2016-12-31, at 10:15 Montreal Time, I bought something from the Sainte Catherine Apple Store.
2. I paid by credit card. When asked whether I wanted the receipt on paper or by e-mail, I said that e-mail was fine.
3. The e-mail bounced due to an invalid DKIM signature. (See

Expected Results:
DKIM signature should be valid, matching the published key for, which, at the time of this writing, is: 60 IN TXT	"v=DKIM1;" "k=rsa;" "h=sha256;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4c/TfEpA3ry1fYjhKQl5" "pEZorCF66/9U3IBJLGv01Fxzj54jNfedegeafYCWiX8nBwSVcAs2MiQsJt2ZtND+" "Uuqag637yAw7VbmXiVkinU/QKSHy7+314VQWf1ic6RpnT6DfyHJk7tyOM3DiXKya" "1VrPDqHMau3KwW0M9wrxKe1GOQWtxryxconUUGylTL7ObaneqyyNBu4OYDtvH39K" "AxUys1S32lus2HutCb9/Ef9ztHEpthYh5+iNN4UvUwVGLqA3nJfHDG3AxSuBC01l" "6WQiOMVaZDCDGLGh9A01Nuy3I91v9xm7Q9Y1jLspfsRerBet1MGHfzYXX5roneGb" "MwIDAQAB"

Actual Results:
Mail from Apple was rejected due to an invalid DKIM signature.


Since the mail was rejected, all I have as evidence of this transaction on 2016-12-31 is those few lines in my mail server log.

However, having discovered the problem, I also dug through my history and found a similar receipt from 2016-02-15, captured from a time when my server was not yet verifying DKIM signatures.  (See attachment.)  It also fails DKIM verification today — assuming that the DKIM key has not changed in the past year.

For comparison, I have attached another e-mail from 2016-02-21 for a Genius Bar appointment, whose signature is valid.  It uses the "emailapple2048" DKIM selector instead of "mailout2048s".

A mail server that verifies DKIM signatures is likely to reject e-mailed receipts from Apple stores. Mail servers that don't verify DKIM signatures would deliver these invalid messages.

'dkim-success-example.eml' and 'dkim-failure-example.eml' were successfully uploaded.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!