mod_email_dkim

Signs outgoing e-mails with DomainKeys Identified Mail Signatures (RFC 6376).

DKIM (DomainKeys Identified Mail) is an important authentication mechanism to help protect both email receivers and email senders from forged and phishing email.

How does it work?

DKIM works by signing each e-mail that Zotonic sends with a private key. The public key part is exposed through a DNS TXT record, with which email receiver can check whether the email actually originated from the domain that it claimed to come from.

Note

The generating of the keypair depends on the openssl utility to be available in $PATH.

This RSA keypair is generated automatically when the module is installed, and the private/public keys are put in the site security directory: security/$site/dkim/dkim.key and security/$site/dkim/dkim.pub. Existing keys in the old site-local priv/dkim/ location are moved there automatically when needed. When the module is active and the keypair has been generated, outgoing MIME e-mail is signed with DKIM.

The DKIM signature covers the From, To, Subject, Date, Sender, Reply-To, Cc, Message-Id, MIME-Version, Content-Type, List-Unsubscribe, and List-Unsubscribe-Post headers. These headers are always listed in the DKIM signature; if a header is missing from the message then DKIM treats it as an empty value, as defined by the standard. This header set follows the recommendations from RFC 6376 section 5.4.1 and includes the list headers required for one-click unsubscribe support from RFC 8058.

DNS configuration

The receiving e-mail server checks the validity of the signature by doing a DNS lookup. To configure DKIM, you will need to add this DNS entry to your domain where you send the mail from.

In the admin, the page /admin/email/dkim, available under (“Modules” / “DKIM e-mail setup”) provides information how to configure this DNS entry, including the text to copy-paste into the DNS record.

DKIM selector

By default, the DKIM selector is set to the string zotonic. This will result in DNS lookups to the zotonic._domainkey.yoursite.com domain. You can change the selector name by adding a config value called site.dkim_selector.

Accepted Events

This module handles the following notifier callbacks:

  • observe_email_dkim_options: Inject DKIM signing options for outgoing emails when DKIM is configured.

Edit on GitHub

Models

email_dkim

DomainKeys Identified Mail Signatures (RFC 6376) is a method to add a signature to outgoing emails. This enables…

Referred by

All dispatch rules

All the dispatch rules from all modules. For a background on dispatch rules, see The URL dispatch system.