Skip to content

Handling DKIM keys

Andris Reinman edited this page Sep 6, 2016 · 2 revisions

DKIM handling is enabled by default in ZoneMTA but without any DKIM keys nothing is actually signed. ZoneMTA makes a HTTP POST request against configuration management URL which should return correct keys for the upcoming message.

The request is a POST request against the URL from getSenderConfig configuration option with content type application/x-www-form-urlencoded. The request includes the following POST arguments:

  • from is the MAIL FROM address
  • origin includes the IP address of the connecting client
  • transtype indicates if the mail is sent from 'SMTP' or 'HTTP'
  • user includes the username if the user is authenticated or an empty string if not

The response should be a JSON with the following fields (all fields are optional)

  • rewriteFrom is an email address to use instead of the address provided by MAIL FROM and the message From: header. This allows you to ensure that a certain user can only send using a specific From address. The value can be an address string 'sender@example.com' or '"Sender Name" sender@example.com' (name is only rewritten in the From header and only if is missing
  • deferDelivery indicates a timestamp in milliseconds when the message should be delivered. Use it if you want to defer the message for whatever reason
  • dkim is an object with the following properties:
    • hashAlgo is the algorithm to use (eg "sha256") when signing messages
    • keys is an object or an array of objects with keys to use for signing this message
      • domainName is the domain name to use in the signature
      • keySelector is the selector to use in the signature
      • privateKey is the private key to use for signing

Example

Example configuration manager in Express.js

server.post('/test-get-config', function(req, res) {
    let response = {};
    if(req.body.user === 'trusted-user'){
        response.dkim = {
            keys: {
                domainName: 'example.com',
                keySelector: 'key-selector',
                privateKey: '-----BEGIN RSA PRIVATE KEY-----....'
            }
        }
    }
    res.json(response);
});
Clone this wiki locally