Skip to content

feat!: DKIM verifier#35

Merged
j-g00da merged 2 commits intomainfrom
j-g00da/dkim-verify
Feb 16, 2026
Merged

feat!: DKIM verifier#35
j-g00da merged 2 commits intomainfrom
j-g00da/dkim-verify

Conversation

@j-g00da
Copy link
Collaborator

@j-g00da j-g00da commented Feb 5, 2026

This implements a DKIM verification as well as a strict
DKIM signature alignment check with domain in From
header address.

Caches the retrieved RDATA using in-memory LRU.

BREAKING CHANGE: incoming messages now require DKIM signatures
aligned to domain of the From header address.

Signed-off-by: Jagoda Ślązak jslazak@jslazak.com

@j-g00da j-g00da requested review from Hocuri and link2xt February 5, 2026 15:11
@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 5, 2026

Few notes:

  • I'm yet to create some meaningful test suite for this
  • This passes relay tests: feat: replace DKIM verification with filtermail v0.4 relay#831 (isolated chatmaild tests are expected to fail, as they don't expect filtermail to reject on missing DKIM sig)
  • Also tested manually using franky.testrun.org and record hosted on my own relay here: https://chat.kamiokan.de/.well-known/_domainkey/opendkim
  • I didn't use viadkim's hickory-resolver feature, as this integration uses an old hickory-resolver version + I had to implement my own lookup anyway for the fallback mechanism. We should probably do some maintenance work on viadkim fork, and release it with some different name.

@link2xt link2xt changed the base branch from main to j-g00da/smtp-client February 5, 2026 18:06
@j-g00da j-g00da force-pushed the j-g00da/smtp-client branch 3 times, most recently from 1150907 to da063fd Compare February 6, 2026 10:12
Base automatically changed from j-g00da/smtp-client to main February 6, 2026 10:15
@j-g00da j-g00da force-pushed the j-g00da/dkim-verify branch 2 times, most recently from 36a0f0e to 41237b3 Compare February 6, 2026 10:54
@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 6, 2026

TODO:

  • remove current http TXT caching based on TTL
  • store only RDATA in selector file, since we don't need TTL
  • implement LRU cache for RDATA returned by both DNS resolver and https requests, cache up to forever (in-memory)

@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 6, 2026

@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 12, 2026

Removed the fallback mechanism, as it is no longer needed.

@link2xt
Copy link
Contributor

link2xt commented Feb 14, 2026

Cache invalidation is a difficult problem as usual.

Should be mostly fine with this approach, we can improve later if needed.

chatmail always uses the same selector (opendkim) and there are servers that do rotation by iterating between two selectors so current approach will fail one message on every rotation or server resetup, but it's not a big deal, arguably reusing selectors is wrong. We can at least fix chatmail to always generate a new selector for each new setup.

This implements a DKIM verification as well as a strict
DKIM signature alignment check with domain in `From`
header address.

Caches the retrieved RDATA using in-memory LRU.

BREAKING CHANGE: incoming messages now require DKIM signatures
  aligned to domain of the `From` header address.

Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>
Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>
@j-g00da j-g00da force-pushed the j-g00da/dkim-verify branch from 833ec92 to d49b168 Compare February 16, 2026 08:44
@j-g00da j-g00da merged commit d261553 into main Feb 16, 2026
7 checks passed
@j-g00da j-g00da deleted the j-g00da/dkim-verify branch February 16, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Integrate DKIM verification into upcoming filtermail.rs service

2 participants