Interesting, thanks for reporting back.

I went to the config and changed my sender to Matrix Authentication System again, without @.

It works, I have a DKIM pass now. As seen, the quotes are still stripped:

Authentication-Results: mx.google.com;
       dkim=pass
[...]
From: Matrix Authentication Service <matrix@matrix.<homeserver>>
Reply-To: Matrix Authentication Service <matrix@matrix.<homeserver>>

I did not touch my setup otherwise; I'm sure it failed the DKIM check before at gmail. Given the DMARC and SPF checks passed, I also don't think it was a DNS issue.

I'm sure it was not my setup, I manually copied the gmail-processed source and verified the DKIM cert manually, with and without re-adding the quotes. I was only able to verify locally with the quotes added. This, and DKIM consistently passing at other mail servers leads me to believe it actually was an issue at google side.

So either they fixed the issue in light-speed, or I was loosing my mind, which of course is possible as well. Will update the original post and github issues.

Yes indeed! Changing the sender name to Matrix Authentication Service @ <my_homeserver> works, with successful dkim: pass.

From original source:

Authentication-Results: mx.google.com;
       dkim=pass [...]
[...]
From: "Matrix Authentication Service @ <my_homeserver>" <matrix@matrix.<my_homeserver>>
Reply-To: "Matrix Authentication Service @ <my_homeserver>" <matrix@matrix.<my_homeserver>>

So sending mails with quoted names that do not have to be quoted leads to DKIM failures at gmail.

Nice idea!

Ah, but I was right for the wrong reasons, I also only now understand it fully. Thanks for the nice discussion.

phrase is 1*word, not word. The difference to obs-phrase is that it allows dots (".") and folding whitespace. Not that it allows whitespace.

In the same example, the Mary Smith is not the issue, rather the @machine.tld, as is written in the description.

John Q. Public is an issue because of the dot, not the spaces. The spaces are an issue in jdoe@test . example, as that's actually an address, not a name

See here: https://gehirneimer.de/m/sysadmin@lemmy.world/t/918726/-/comment/8449841

I had to think about this for a while, but the standard is only obsoleting folding white space, i.e. white space that wraps lines, such as:

Subject: This
 is a folded line

which is equivalent to

Subject: This is a folded line

As I understand it, white space is allowed before and after obsoletion. Or do I understand it wrong?

Edit:

I think in the obsoleted language the following would have been allowed for a From: field as well:

From: John
 Smith <j.smith@example.com>

Yes, it seems it does that. I assume it has some processing chain involving decode -> process -> encode of the whole mail, and usually that works out and the DKIM check passes. Apparantly, if you send something non-standard the decode and encode are not symmetrical and this happens. IMHO it shouldn't, so I agree. Especially, showing users mails with broken authentication seems broken as well to me.

Usually, the important parts of the mail, such as subject, sender and contents are protected by DKIM authentication. Unfortunately this is usually not visible to the end-user, i.e. as in my case, where mails fail DKIM, but are still presented in my inbox.

Mail servers and relays add headers to the mail as it goes, for example their own IPs to trace the mail, or authentication results if authentication happens at various endpoints.

In the end, the mail as in the gmail postbox is the result of the original mail, and all these additions of the mail relays. In an ideal world only DKIM authenticated would be presented to the end-user, but the world of mail seems to be so broken, that many sending servers just do not apply DKIM/DMARC correctly, and thus many receivers accept broken mail.

Will play around with that and report back :)

Yes, I've seen one other header change: gmail seems to (again sometimes?) enforce Message-ID fields in the header, and may add or change it if it doesn't match it's internal requirements. Interestingly, I've seen both my mailserver getting "rejected because missing message-id" messages, and messages passing to the mailbox, but with a google-added Message-ID in the raw source.

For my specific case of DKIM failures, I've not noticed other differences.

If I take the specific raw source from gmail, i.e. after processing by google, re-add the quotes, and manually check the DKIM signature, the signature passes. With other words, the quotes are literally the only relevant change in my case.

Ah interesting, I'm sending from my own domain and IP with DMARC set up to quarantine.

Yes, the mail server is accepting it because gmail accepts the mail if either SPF or DKIM passes (not AND). My observation is that google for some reason sometimes puts the mail into spam, and sometimes into the regular mailbox. In both cases the headers show dkim=fail and spf=pass and I have no idea why it's not deterministic. I've also tested this with same/similar mail contents.

Edit: To be honest, I also don't think that mail from my domain should be "sometimes" in the regular mailbox, if DKIM fails and DMARC has adkim=quarantine.