From 51e42dfe56d7cf7572fe68dd52ca003f856bfbca Mon Sep 17 00:00:00 2001
From: Dan Mahoney <github@gushi.org>
Date: Tue, 26 May 2026 13:45:53 -0700
Subject: [PATCH] ares_parse: handle ADMD-less Authentication-Results headers

Office 365 generates Authentication-Results headers that omit the
authserv-id (ADMD), jumping straight to method=result tokens. This is
non-compliant with RFC 8601 but common enough in practice that the hard
parse failure causes log noise and downstream ARC chain issues.

When state 1 encounters '=' instead of ';' or a version digit, the
accumulated host token is actually a method name. Recover by leaving
ares_host empty and continuing from the result value.

See trusteddomainproject/OpenDKIM#73
---
 openarc/openarc-ar.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/openarc/openarc-ar.c b/openarc/openarc-ar.c
index 48acec62..b37f1da9 100644
--- a/openarc/openarc-ar.c
+++ b/openarc/openarc-ar.c
@@ -470,6 +470,23 @@ ares_parse(u_char *hdr, struct authres *ar)
 				prevstate = state;
 				state = 2;
 			}
+			else if (tokens[c][0] == '=' && tokens[c][1] == '\0')
+			{
+				/*
+				 * ADMD-less header (e.g. Office 365 internal
+				 * headers that escape outbound): the token we
+				 * read as authserv-id is actually the first
+				 * method name.  Leave ares_host empty and
+				 * continue parsing from the result value.
+				 */
+				n = 1;
+				ar->ares_result[0].result_method =
+					ares_convert(methods,
+					             (char *) ar->ares_host);
+				memset(ar->ares_host, '\0', sizeof ar->ares_host);
+				prevstate = state;
+				state = 5;
+			}
 			else
 			{
 				return -1;