1# DKIM signing23modify.dkim module is a modifier that signs messages using DKIM4protocol (RFC 6376).56Each configuration block specifies a single selector7and one or more domains.89A key will be generated or read for each domain, the key to use10for each message will be selected based on the SMTP envelope sender. Exception11for that is that for domain-less postmaster address and null address, the12key for the first domain will be used. If domain in envelope sender13does not match any of loaded keys, message will not be signed.14Additionally, for each messages From header is checked to15match MAIL FROM and authorization identity (username sender is logged in as).16This can be controlled using require_sender_match directive.1718Generated private keys are stored in unencrypted PKCS#8 format19in state_directory/dkim_keys (`/var/lib/maddy/dkim_keys`).20In the same directory .dns files are generated that contain21public key for each domain formatted in the form of a DNS record.2223## Arguments2425domains and selector can be specified in arguments, so actual modify.dkim use can26be shortened to the following:2728```29modify {30 dkim example.org selector31}32```3334## Configuration directives3536```37modify.dkim {38 debug no39 domains example.org example.com40 selector default41 key_path dkim-keys/{domain}-{selector}.key42 oversign_fields ...43 sign_fields ...44 header_canon relaxed45 body_canon relaxed46 sig_expiry 120h # 5 days47 hash sha25648 newkey_algo rsa204849}50```5152### debug _boolean_53Default: global directive value5455Enable verbose logging.5657---5859### domains _string-list_60**Required**. <br>61Default: not specified626364ADministrative Management Domains (ADMDs) taking responsibility for messages.6566Should be specified either as a directive or as an argument.6768---6970### selector _string_71**Required**. <br>72Default: not specified7374Identifier of used key within the ADMD.75Should be specified either as a directive or as an argument.7677---7879### key_path _string_80Default: `dkim_keys/{domain}_{selector}.key`8182Path to private key. It should be in PKCS#8 format wrapped in PAM encoding.83If key does not exist, it will be generated using algorithm specified84in newkey_algo.8586Placeholders '{domain}' and '{selector}' will be replaced with corresponding87values from domain and selector directives.8889Additionally, keys in PKCS#1 ("RSA PRIVATE KEY") and90RFC 5915 ("EC PRIVATE KEY") can be read by modify.dkim. Note, however that91newly generated keys are always in PKCS#8.9293---9495### oversign_fields _list..._96Default: see below9798Header fields that should be signed n+1 times where n is times they are99present in the message. This makes it impossible to replace field100value by prepending another field with the same name to the message.101102Fields specified here don't have to be also specified in `sign_fields`.103104Default set of oversigned fields:105106- Subject107- To108- From109- Date110- MIME-Version111- Content-Type112- Content-Transfer-Encoding113- Reply-To114- Message-Id115- References116- Autocrypt117- Openpgp118119---120121### sign_fields _list..._122Default: see below123124Header fields that should be signed n times where n is times they are125present in the message. For these fields, additional values can be prepended126by intermediate relays, but existing values can't be changed.127128Default set of signed fields:129130- List-Id131- List-Help132- List-Unsubscribe133- List-Post134- List-Owner135- List-Archive136- Resent-To137- Resent-Sender138- Resent-Message-Id139- Resent-Date140- Resent-From141- Resent-Cc142143---144145### header_canon `relaxed` | `simple`146Default: `relaxed`147148Canonicalization algorithm to use for header fields. With `relaxed`, whitespace within149fields can be modified without breaking the signature, with `simple` no150modifications are allowed.151152---153154### body_canon `relaxed` | `simple`155Default: `relaxed`156157Canonicalization algorithm to use for message body. With `relaxed`, whitespace within158can be modified without breaking the signature, with `simple` no159modifications are allowed.160161---162163### sig_expiry _duration_164Default: `120h`165166Time for which signature should be considered valid. Mainly used to prevent167unauthorized resending of old messages.168169---170171### hash _hash_172Default: `sha256`173174Hash algorithm to use when computing body hash.175176sha256 is the only supported algorithm now.177178---179180### newkey_algo `rsa4096` | `rsa2048` | `ed25519`181Default: `rsa2048`182183Algorithm to use when generating a new key.184185Currently ed25519 is **not** supported by most platforms.186187---188189### require_sender_match _ids..._190Default: `envelope auth`191192Require specified identifiers to match From header field and key domain,193otherwise - don't sign the message.194195If From field contains multiple addresses, message will not be196signed unless `allow_multiple_from` is also specified. In that197case only first address will be compared.198199Matching is done in a case-insensitive way.200201Valid values:202203- `off` – Disable check, always sign.204- `envelope` – Require MAIL FROM address to match From header.205- `auth` – If authorization identity contains @ - then require it to206 fully match From header. Otherwise, check only local-part207 (username).208209---210211### allow_multiple_from _boolean_212Default: `no`213214Allow multiple addresses in From header field for purposes of215`require_sender_match` checks. Only first address will be checked, however.216217---218219### sign_subdomains _boolean_220Default: `no`221222Sign emails from subdomains using a top domain key.223224Allows only one domain to be specified (can be worked around by using `modify.dkim`225multiple times).