dfinity · pr-automation-bot-public · Jun 9, 2026
@@ -62,4 +62,4 @@ motoko-core           v2.4.0
 cdk-rs                ic-cdk v0.20.1 / ic-cdk-timers v1.0.0 / ic-cdk-executor v2.0.0  317f55c
 candid                2025-12-18  # candid v0.10.20, didc v0.5.4                2e4a2cf
 response-verification v3.1.0                                                    18c5a37
-internetidentity      release-2026-06-01                                         18130689
+internetidentity      release-2026-06-05-hotfix                                         d2b368e0
@@ -625,6 +625,24 @@ type EmailRecoveryStatus = variant {
     Expired;
 };
 
+// Which trust path the canister used (or will use) to verify the
+// challenge email. Public — already chosen by the FE and derivable
+// from the public deploy config.
+type VerificationPath = variant { Doh; Dnssec };
+
+// Strictly-public, user-copyable diagnostics for one pending challenge
+// (see email_recovery_diagnostics). Intended for a support ticket so a
+// case can be lined up across the SMTP gateway logs and the canister's
+// production logs via message_id. NO email address, anchor, principal,
+// delegation/seed, or inner error string — reason_code is the failing
+// variant's name only.
+type EmailRecoveryDiagnostics = record {
+    message_id : opt text;
+    reason_code : text;
+    verification_path : VerificationPath;
+    created_at : Timestamp;
+};
+
 type EmailRecoveryGetDelegationArgs = record {
     nonce       : text;
     session_key : SessionKey;
@@ -671,6 +689,13 @@ type SmtpRequest = record {
     message : opt SmtpMessage;
     envelope : opt SmtpEnvelope;
     gateway_flags : opt vec text;
+    // Optional gateway-supplied correlation id for one inbound message
+    // (e.g. the RFC 5322 Message-ID or a gateway-assigned tracking id).
+    // The canister does not interpret it; it lets a reported case be
+    // lined up across the SMTP gateway logs and the canister's production
+    // logs during support investigations. Capped at 256 bytes; oversize
+    // values are rejected with code 555.
+    message_id : opt text;
 };
 
 // Error returned by `smtp_request` / `smtp_request_validate`.
@@ -1489,6 +1514,7 @@ service : (opt InternetIdentityInit) -> {
     email_recovery_credential_prepare_add : (IdentityNumber, EmailRecoveryDnsInput) -> (variant { Ok : EmailRecoveryChallenge; Err : EmailRecoveryError });
     email_recovery_prepare_delegation : (EmailRecoveryDnsInput, SessionKey) -> (variant { Ok : EmailRecoveryChallenge; Err : EmailRecoveryError });
     email_recovery_status : (text) -> (EmailRecoveryStatus) query;
+    email_recovery_diagnostics : (text) -> (opt EmailRecoveryDiagnostics) query;
     email_recovery_submit_dkim_leaf : (EmailRecoverySubmitDkimLeafArg) -> (variant { Ok : EmailRecoveryStatus; Err : EmailRecoveryError });
     email_recovery_get_delegation : (EmailRecoveryGetDelegationArgs) -> (variant { Ok : SignedDelegation; Err : EmailRecoveryError }) query;
     email_recovery_credential_remove : (IdentityNumber, text) -> (variant { Ok; Err : EmailRecoveryError });
+0 −1		scripts/build
+55 −3		scripts/deploy-common.bash
+8 −0		src/canister_tests/src/api/internet_identity.rs
+30 −29		src/frontend/src/lib/components/wizards/auth/AuthWizard.svelte
+4 −0		src/frontend/src/lib/components/wizards/auth/index.ts
+13 −0		src/frontend/src/lib/components/wizards/auth/views/ContinueOnAnotherDeviceView.svelte
+80 −0		src/frontend/src/lib/components/wizards/auth/views/IdentityAlreadyLinked.svelte
+119 −0		src/frontend/src/lib/components/wizards/auth/views/IdentityNotConnected.svelte
+82 −0		src/frontend/src/lib/components/wizards/auth/views/SwitchAccessMethod.svelte
+39 −4		src/frontend/src/lib/components/wizards/recoverWithEmail/RecoverWithEmailWizard.svelte
+37 −5		src/frontend/src/lib/components/wizards/setupEmailRecovery/SetupEmailRecoveryWizard.svelte
+42 −0		src/frontend/src/lib/components/wizards/setupEmailRecovery/diagnostics.test.ts
+47 −0		src/frontend/src/lib/components/wizards/setupEmailRecovery/diagnostics.ts
+51 −2		src/frontend/src/lib/components/wizards/setupEmailRecovery/views/FailedView.svelte
+7 −0		src/frontend/src/lib/components/wizards/setupEmailRecovery/views/UnsupportedDomain.svelte
+4 −2		src/frontend/src/lib/generated/internet_identity_frontend_idl.js
+12 −1		src/frontend/src/lib/generated/internet_identity_frontend_types.d.ts
+16 −0		src/frontend/src/lib/generated/internet_identity_idl.js
+34 −0		src/frontend/src/lib/generated/internet_identity_types.d.ts
+5 −0		src/frontend/src/lib/globals.ts
+155 −0		src/frontend/src/lib/state/featureFlags.test.ts
+45 −15		src/frontend/src/lib/state/featureFlags.ts
+80 −0		src/frontend/src/lib/utils/dnssec/chain.test.ts
+50 −11		src/frontend/src/lib/utils/dnssec/chain.ts
+28 −0		src/frontend/src/lib/utils/featureFlags/index.test.ts
+31 −0		src/frontend/src/lib/utils/openID.test.ts
+5 −1		src/frontend/src/routes/(new-styling)/cli/+page.ts
+2 −2		src/frontend/src/routes/(new-styling)/manage/(authenticated)/(home)/+page.svelte
+16 −7		src/frontend/src/routes/(new-styling)/manage/(authenticated)/recovery/+page.svelte
+35 −1		src/frontend/src/routes/(new-styling)/manage/(authenticated)/recovery/components/ActiveEmailRecovery.svelte
+4 −0		src/frontend/src/routes/(new-styling)/recovery/+page.svelte
+28 −24		src/frontend/tests/e2e-playwright/fixtures/emailRecovery.ts
+4 −1		src/frontend/tests/e2e-playwright/fixtures/manageRecoveryPage.ts
+32 −37		src/frontend/tests/e2e-playwright/routes/cli.spec.ts
+39 −4		src/frontend/tests/e2e-playwright/routes/emailRecovery.spec.ts
+1 −0		src/frontend/tests/e2e-playwright/utils/dkimTestSigner.ts
+26 −0		src/internet_identity/internet_identity.did
+31 −9		src/internet_identity/src/assets.rs
+43 −17		src/internet_identity/src/dkim/canonicalize.rs
+1 −0		src/internet_identity/src/dkim/test_vectors.rs
+7 −0		src/internet_identity/src/dkim/verify.rs
+1 −0		src/internet_identity/src/dmarc/test_vectors.rs
+1 −0		src/internet_identity/src/dmarc/verify.rs
+7 −5		src/internet_identity/src/dnssec/mod.rs
+93 −18		src/internet_identity/src/dnssec/signature.rs
+20 −9		src/internet_identity/src/dnssec/test_vectors.rs
+14 −7		src/internet_identity/src/dnssec/verify.rs
+127 −319		src/internet_identity/src/doh/cache.rs
+64 −19		src/internet_identity/src/doh/mod.rs
+14 −0		src/internet_identity/src/email_recovery/mod.rs
+117 −1		src/internet_identity/src/email_recovery/pending.rs
+3 −0		src/internet_identity/src/email_recovery/prepare.rs
+18 −0		src/internet_identity/src/email_recovery/smtp.rs
+31 −3		src/internet_identity/src/main.rs
+6 −0		src/internet_identity/src/state.rs
+5 −0		src/internet_identity/src/storage/storable/storable_persistent_state.rs
+1 −0		src/internet_identity/tests/integration/config.rs
+82 −0		src/internet_identity/tests/integration/config/backend_origin.rs
+313 −2		src/internet_identity/tests/integration/email_recovery.rs
+41 −0		src/internet_identity/tests/integration/http.rs
+5 −0		src/internet_identity_frontend/internet_identity_frontend.did
+8 −5		src/internet_identity_frontend/src/main.rs
+1 −0		src/internet_identity_frontend/tests/integration/http.rs
+6 −0		src/internet_identity_interface/src/internet_identity/types.rs
+71 −0		src/internet_identity_interface/src/internet_identity/types/email_recovery.rs
+92 −4		src/internet_identity_interface/src/internet_identity/types/smtp.rs
+142 −0		test_vectors/dnssec/mailbox.org-2026-06.json