iCloud mail forwarding destructive to DMARC authentication

Number:rdar://49888068 Date Originated:4/14/2019
Status:Open Resolved:
Product:Web App + Web SDK Product Version:
Classification:iCloud Reproducible:Always
Note: This is purely an iCloud services issue, it has *nothing* to do with iOS or macOS.

If a DKIM signed message is forwarded through iCloud, the DKIM signature no longer matches, breaking DMARC authentication.

Back in 2017 I opened issue 35953200, which was about messages being forwarded through iCloud mail breaking the DMARC authentication. The problem was fixed sometime in 2018, but now I'm seeing the same problem again (albeit possibly for different reasons).

I'm seeing the current problem in messages as early as February 3rd.

Steps to Reproduce:
1. Set iCloud to forward messages to another mail provider, preferably one that does strong SPF/DKIM/DMARC authentication: iCloud.com > Mail > Preferences > Forwarding > Forward my mail to: (external email address)

2. Receive an email to your iCloud (or mac.com, or me.com) email address, sent from a sender that signs the message with DKIM and has DMARC rules established.

NOTE: Many emails from Apple are an example of emails that fulfill step #2: almost every email from Apple has a DMARC failure when forwarded through iCloud. This does not, however, mean that only Apple emails are affected.

Expected Results:
Emails that are forwarded by iCloud should still pass DKIM and DMARC authentication.

Actual Results:
Emails that are forwarded by iCloud do NOT pass DMARC authentication

Attached case:
An especially good example is marketing emails from Apple, because Apple sends the SAME email to two of my addresses: directly to <external address>, and the 2nd one to <icloud address>.

I have iCloud set to forward emails sent to <icloud address> to <external address>. Therefore, we can compare the emails to see exactly what changes resulted from being forwarded through iCloud.  Attached are two such email pairs.

The emails that are sent directly to <external address> has an insideapple.apple.com DKIM signature.  When FastMail checked the authentication, it passes DKIM and DMARC.

On the messages that are forwarded through iCloud (sent to <iCloud address., forwarded to <external address>), the message fails DKIM because the message or body has been altered:

Authentication-Results: mx4.messagingengine.com;
    arc=none (no signatures found);
    dkim=fail (message has been altered, 2048-bit rsa key sha256)

Comparison of the message shows that that the message is in fact altered by iCloud.

Since failing DMARC indicates the message is forged, it gets a very high probability of Spam score. The result is that many messages that are routed through iCloud.com are considered to be SPAM. Ironically it is the messages that are sent from the most security conscious senders (banks, major companies, etc.) are the ones that are almost always considered (falsely) to be SPAM, because those are the senders that publish DMARC rules in their DNS records.

Comparison to other mail systems:
From what I've seen, ONLY iCloud.com is breaking DMARC on forwarding email. Gmail for example is fine.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!