driusan's DKIM tools
This is a collection of pure Go tools I've written to DKIM sign messages and verify them on my 9front mail server. They should be fairly easy to incorporate into any pipeline that can pass messages along stdin and read them from stdout.
Verifying DKIM Signatures
dkimverify will verify that a message has a valid
It can either read a message from stdin, or have (optionally many) filenames passed as arguments. If all messages have valid signatures, it will exit with a success status, otherwise it will exit with an exit code of the number of messages that failed validation. For each one, it will print the reason for the failure to stderr.
-hd parameter takes a string argument and instead of printing to
stderr, will print an SMTP header of that name with a value of "Pass"
or "Fail" to stdout. Temporary failures or no DKIM signature present
in a message will print nothing.
hdsuffix can be
used to add a prefix or suffix to the header value.
The dkimverify tool can be used without any special configuration.
Signing DKIM Signatures
Signing is slightly more complicated by necessity. The tool
dkimkeygen will create 2 files in the directory it's run in:
private.pem. The contents of the dns.txt need to be
added to your domain's DNS as a TXT record at
selector._domainkey.example.com so that the DKIM signatures added by
dkimsign can be validated. (the "selector" part can be anything you
want, but needs to match what's passed to
the corresponding private key.
dkimsign reads a message from stdin and writes a signed version of
that message to stdout according to the parameters passed. The
incoming message can have any line ending, but they'll be converted to
"\r\n" line endings on output (unless
-n is passed, in which case
they'll be printed as "\n"). If "-hd" is passed to
header will be printed to stdout but not the message body. The
parameter is the private key and should be the path to the
private.pem generated by dkimkeygen.
-s is the selector and
should match the selector part of the domain name.
-d is the domain
Example (Plan 9)
The following is an example
/mail/lib/remotemail that should add
valid DKIM Signatures on a Plan 9 server. Note that since it requires
the sender to have access to private.pem it should probably only be
used in a single-user environment.
#!/bin/rc shift sender=$1 shift addr=$1 shift # The first smtp with -f causes SMTP to add any headers it wants and # fully qualify the addresses, printing to stdout instead of sending. # dkimsign signs From, Date, Subject, and To headers (and the body) # with relaxed encoding (the default). It prints the signed message # to stdout with \n line endings ("-n") and undoes the dot-stuffing # added by smtp -f ("-u") both for generating the signature and for # printing it. It uses the selector 19700101._domainkey.example.com and # signs using the private key at /sys/lib/dkim/private.pem (which # should correspond to the selector) # The second smtp (without -f) then sends the mail for real. exec /bin/upas/smtp -f -h example.com .example.com $addr $sender $* | /bin/dkimsign -h From:Date:Subject:To -u -s 19700101 -n -d example.com -key /sys/lib/dkim/private.pem | /bin/upas/smtp -s -h example.com .example.com $addr $sender $*