Skip to content

feat!: DKIM verifier#35

Merged
j-g00da merged 2 commits intomainfrom
j-g00da/dkim-verify
Feb 16, 2026
Merged

feat!: DKIM verifier#35
j-g00da merged 2 commits intomainfrom
j-g00da/dkim-verify

Conversation

@j-g00da
Copy link
Collaborator

@j-g00da j-g00da commented Feb 5, 2026
edited
Loading

This implements a DKIM verification as well as a strict
DKIM signature alignment check with domain in From
header address.

Caches the retrieved RDATA using in-memory LRU.

BREAKING CHANGE: incoming messages now require DKIM signatures
aligned to domain of the From header address.

Signed-off-by: Jagoda Ślązak jslazak@jslazak.com

@j-g00da j-g00da requested review from Hocuri and link2xt February 5, 2026 15:11
@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 5, 2026
edited
Loading

Few notes:

  • I'm yet to create some meaningful test suite for this
  • This passes relay tests: feat: replace DKIM verification with filtermail v0.4 relay#831 (isolated chatmaild tests are expected to fail, as they don't expect filtermail to reject on missing DKIM sig)
  • Also tested manually using franky.testrun.org and record hosted on my own relay here: https://chat.kamiokan.de/.well-known/_domainkey/opendkim
  • I didn't use viadkim's hickory-resolver feature, as this integration uses an old hickory-resolver version + I had to implement my own lookup anyway for the fallback mechanism. We should probably do some maintenance work on viadkim fork, and release it with some different name.

@link2xt link2xt changed the base branch from main to j-g00da/smtp-client February 5, 2026 18:06
link2xt
link2xt reviewed Feb 5, 2026
View reviewed changes
@j-g00da j-g00da force-pushed the j-g00da/smtp-client branch 3 times, most recently from 1150907 to da063fd Compare February 6, 2026 10:12
Base automatically changed from j-g00da/smtp-client to main February 6, 2026 10:15
@j-g00da j-g00da force-pushed the j-g00da/dkim-verify branch 2 times, most recently from 36a0f0e to 41237b3 Compare February 6, 2026 10:54
@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 6, 2026
edited
Loading

TODO:

  • remove current http TXT caching based on TTL
  • store only RDATA in selector file, since we don't need TTL
  • implement LRU cache for RDATA returned by both DNS resolver and https requests, cache up to forever (in-memory)

@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 6, 2026
edited
Loading

Also:

@j-g00da j-g00da force-pushed the j-g00da/dkim-verify branch from 41237b3 to 7482b51 Compare February 6, 2026 15:32
@j-g00da j-g00da requested a review from link2xt February 6, 2026 15:34
@missytake missytake mentioned this pull request Feb 7, 2026
Open
@j-g00da j-g00da mentioned this pull request Feb 10, 2026
Closed
@j-g00da j-g00da force-pushed the j-g00da/dkim-verify branch from 7482b51 to fa57846 Compare February 10, 2026 11:03
@j-g00da j-g00da mentioned this pull request Feb 10, 2026
Closed
@missytake missytake mentioned this pull request Feb 10, 2026
Closed
@j-g00da j-g00da linked an issue Feb 11, 2026 that may be closed by this pull request
Integrate DKIM verification into upcoming filtermail.rs service chatmail/relay#805
Closed
@j-g00da j-g00da force-pushed the j-g00da/dkim-verify branch from fa57846 to 833ec92 Compare February 12, 2026 09:40
@j-g00da j-g00da changed the title feat!: DKIM verifier with https fallback feat!: DKIM verifier Feb 12, 2026
@j-g00da
Copy link
Collaborator Author

j-g00da commented Feb 12, 2026

Removed the fallback mechanism, as it is no longer needed.

link2xt
link2xt approved these changes Feb 14, 2026
View reviewed changes
@link2xt
Copy link
Contributor

link2xt commented Feb 14, 2026

Cache invalidation is a difficult problem as usual.

Should be mostly fine with this approach, we can improve later if needed.

chatmail always uses the same selector (opendkim) and there are servers that do rotation by iterating between two selectors so current approach will fail one message on every rotation or server resetup, but it's not a big deal, arguably reusing selectors is wrong. We can at least fix chatmail to always generate a new selector for each new setup.

@j-g00da
feat!: DKIM verifier
f062147 
This implements a DKIM verification as well as a strict
DKIM signature alignment check with domain in `From`
header address.

Caches the retrieved RDATA using in-memory LRU.

BREAKING CHANGE: incoming messages now require DKIM signatures
  aligned to domain of the `From` header address.

Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>
@j-g00da
chore(license): License binaries under GPLv3
d49b168 
Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>
@j-g00da j-g00da force-pushed the j-g00da/dkim-verify branch from 833ec92 to d49b168 Compare February 16, 2026 08:44
@j-g00da j-g00da merged commit d261553 into main Feb 16, 2026
7 checks passed
@j-g00da j-g00da deleted the j-g00da/dkim-verify branch February 16, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@link2xt link2xt link2xt approved these changes

@Hocuri Hocuri Awaiting requested review from Hocuri

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Integrate DKIM verification into upcoming filtermail.rs service

2 participants

@j-g00da @link2xt