MTA with no Message-ID causes incorrect DKIM Signature h record

[QAZwsxED]

When a MTA client lib (I wrote) is used to send email via an SMTP connection to CPANEL/WHM Mail there is an issue when there is no message-id (case insensitive).

The below BAD h record is added by a Cpanel/WHM module(?please verify) and a Message-ID (big D) header is created. Outlook, hotmail, google, and yahoo all report DKIM:fail:

BAD
h=Content-Type:MIME-Version:Date:Subject:To:From:Sender:Reply-To:Message-ID:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;

GOOD
h=Content-Type:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive;

The GOOD header passes DKIM Signature verification because the MTA was modified to add a Message-Id (not lowercase d) header in the msg.

WHM API 1 Functions - ensure_dkim_keys_exist - Developer Documentation - cPanel Documentation

documentation.cpanel.net

says
"If an existing DKIM key does not meet the server's security requirements, the system replaces the existing DKIM key. If no DKIM key exists, the system creates a new key for the domain."

Could this API be connected with this behaviour?

Does the order or position or case of message-id make any difference to the behaviour of this module?

 

[cPanelLauren]

Can you show me an example of both instances that you've come across? I'm having issues understanding how you're reaching this error.

 

[QAZwsxED]

Can you show me an example of both instances that you've come across? I'm having issues understanding how you're reaching this error.

My ISP has responded:

"This is handled by the MTA with the private key, in this case our cPanel server.
Then this email is sent on to our border MTA, which is Spam Experts. Since it sees an invalid email, that is, an email that the MUA failed to format correctly [by not including a Message-ID], it tries to resolve this issue by adding in a MessageID.
Unfortunately by doing this, it now means the signature won't match when the receiving server compares the hash. This is all expected behavior. "

I have no idea where to turn.

A system that includes the Feature/Bug:
add a Message ID when processing emails without a MessageID, but inadvertently ruin the DKIM signature
needs be investigated and fixed, I would think.

A suggested solution would be to change the process after SpamExperts have added their message-id, to resubmit the email back into the existing DKIM signing workflow again.

What would it take to make that change? Would a discussion with SpamExperts be a starting point?

The question for a diligent conscience community member would be: where could I raise such a issue and proposed solution? As that is exactly what I am trying to do and encouraging others to do also and would appreciate your guidance and advice.

 

[QAZwsxED]

I think i got MUA and MTA back to front:
"When a MTA client lib"
is meant to be
"When a MUA client lib"
It's a library to send emails to a SMTP server