async fn update_authservid_candidates(
    context: &Context,
    authres: &Vec<(String, DkimResult)>
) -> Result<()>
Expand description

About authserv-ids

After having checked DKIM, our email server adds an Authentication-Results header.

Now, an attacker could just add an Authentication-Results header that says dkim=pass in order to make us think that DKIM was correct in their From-forged email.

In order to prevent this, each email server adds its authserv-id to the Authentication-Results header, e.g. Testrun’s authserv-id is, Gmail’s is When Testrun gets a mail delivered from outside, it will then remove any Authentication-Results headers whose authserv-id is also

We need to somehow find out the authserv-id(s) of our email server, so that we can use the Authentication-Results with the right authserv-id.

What this function does

When receiving an email, this function is called and updates the candidates for our server’s authserv-id, i.e. what we think our server’s authserv-id is.

Usually, every incoming email has Authentication-Results with our server’s authserv-id, so, the intersection of the existing authserv-ids and the incoming authserv-ids for our server’s authserv-id is a good guess for our server’s authserv-id. When this intersection is empty, we assume that the authserv-id has changed and start over with the new authserv-ids.

See handle_authres.