Skip to content
Pure Go tools for managing DKIM headers
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Add LICENSE for good measure Oct 20, 2018 Add -hd option to dkimverify to make it easier to use in a hook Oct 21, 2018
body.go Improve tests and error messages Jan 28, 2018
body_test.go Initial commit. Verification only Jan 28, 2018
header.go Added commands to sign and generate keys Jan 28, 2018
normalize.go Add -u option to un-dotstuff on read and write Oct 20, 2018
sign_test.go Added commands to sign and generate keys Jan 28, 2018
signature.go Add -hd option to only print the header when signing Oct 20, 2018
signature_test.go Initial commit. Verification only Jan 28, 2018
wikileaks_test.go Added commands to sign and generate keys Jan 28, 2018

driusan's DKIM tools

This is a collection of pure Go tools I've written to DKIM sign messages and verify them on my 9front mail server. They should be fairly easy to incorporate into any pipeline that can pass messages along stdin and read them from stdout.

Verifying DKIM Signatures

The tool dkimverify will verify that a message has a valid signature.

It can either read a message from stdin, or have (optionally many) filenames passed as arguments. If all messages have valid signatures, it will exit with a success status, otherwise it will exit with an exit code of the number of messages that failed validation. For each one, it will print the reason for the failure to stderr.

The -hd parameter takes a string argument and instead of printing to stderr, will print an SMTP header of that name with a value of "Pass" or "Fail" to stdout. Temporary failures or no DKIM signature present in a message will print nothing. -hdprefix or hdsuffix can be used to add a prefix or suffix to the header value.

The dkimverify tool can be used without any special configuration.

Signing DKIM Signatures

Signing is slightly more complicated by necessity. The tool dkimkeygen will create 2 files in the directory it's run in: dns.txt and private.pem. The contents of the dns.txt need to be added to your domain's DNS as a TXT record at so that the DKIM signatures added by dkimsign can be validated. (the "selector" part can be anything you want, but needs to match what's passed to dkimsign) private.pem is the corresponding private key.

dkimsign reads a message from stdin and writes a signed version of that message to stdout according to the parameters passed. The incoming message can have any line ending, but they'll be converted to "\r\n" line endings on output (unless -n is passed, in which case they'll be printed as "\n"). If "-hd" is passed to dkimsign, the header will be printed to stdout but not the message body. The -key parameter is the private key and should be the path to the private.pem generated by dkimkeygen. -s is the selector and should match the selector part of the domain name. -d is the domain name.

Example (Plan 9)

The following is an example /mail/lib/remotemail that should add valid DKIM Signatures on a Plan 9 server. Note that since it requires the sender to have access to private.pem it should probably only be used in a single-user environment.


# The first smtp with -f causes SMTP to add any headers it wants and
# fully qualify the addresses, printing to stdout instead of sending.
# dkimsign signs From, Date, Subject, and To headers (and the body)
# with relaxed encoding (the default).  It prints the signed message
# to stdout with \n line endings ("-n") and undoes the dot-stuffing
# added by smtp -f ("-u") both for generating the signature and for
# printing it.  It uses the selector and
# signs using the private key at /sys/lib/dkim/private.pem (which
# should correspond to the selector)
# The second smtp (without -f) then sends the mail for real.
exec /bin/upas/smtp -f -h $addr $sender $* | /bin/dkimsign -h From:Date:Subject:To -u -s 19700101 -n -d -key /sys/lib/dkim/private.pem | /bin/upas/smtp -s -h $addr $sender $*
You can’t perform that action at this time.