DKIM integration
chasquid supports generating DKIM signatures via the hooks mechanism.
Signing
The example hook includes integration with driusan/dkim and dkimpy, and assumes the following:
- The selector for a domain
can be found in the file
domains/$DOMAIN/dkim_selector
. - The private key to use for signing can be found in the file
certs/$DOMAIN/dkim_privkey.pem
.
Only authenticated email will be signed.
Setup with driusan/dkim
-
Install the driusan/dkim tools with something like the following (adjust to your local environment):
for i in dkimsign dkimverify dkimkeygen; do go get github.com/driusan/dkim/cmd/$i go install github.com/driusan/dkim/cmd/$i done sudo cp ~/go/bin/{dkimsign,dkimverify,dkimkeygen} /usr/local/bin
-
Generate the domain key for your domain using
dkimkeygen
. - Publish the DNS record from
dns.txt
(guide). - Write the selector you chose to
domains/$DOMAIN/dkim_selector
. - Copy
private.pem
to/etc/chasquid/certs/$DOMAIN/dkim_privkey.pem
. - Verify the setup using one of the publicly available tools, like mail-tester.
Setup with dkimpy
- Install dkimpy with
apt install python3-dkim
or the equivalent for your environment. - Generate the domain key for your domain using
dknewkey dkim
. - Publish the DNS record from
dkim.dns
(guide). - Write the selector you chose to
domains/$DOMAIN/dkim_selector
. - Copy
dkim.key
to/etc/chasquid/certs/$DOMAIN/dkim_privkey.pem
. - Verify the setup using one of the publicly available tools, like mail-tester.
Verification
Verifying signatures is technically supported as well, and can be done in the same hook. However, it's not recommended for SMTP servers to reject mail on verification failures (source 1, source 2), so it is not included in the example.