5.7 qmail-pop3d Authentication

Authentication for Mailbox users is a 'must' and without authentication access to a Mailbox is not permitted. Along side with qmail-pop3d, qmail-popup is required to provide the userid, password, and the environmental settings.

5.7.1 qmail-pop3d Auth environment settings

Unlike qmail-smtpd, for qmail-popup only a slim choice of authentication mechanisms exists.

Note: For qmail-popup no particular environment variables are required to enable authentication.

5.8 qmail-qmtpd Authentication

qmail-qmtpd supports authentication solely based on X.509 client certificates employing sslserver. The procedure follows the one discussed in section 5.5, except that the validation of the email address against the provided QMTP originator address is not provided and no specific logging takes place.

5.9 qmail-remote Authentication

qmail-remote is not at personal (E)SMTP client but rather acts on behalf of the (domain) owner. Thus, qmail-remote supports ESMTP authentication under two distinct scenarios:

• As ESMTP client submitting emails from a specific domain. For this purpose, the control file authusers can be employed.
• As ESMTP deliverer for emails to a relayhost as specified by means of the legacy (but now extended) smptroutes control file.

5.9.1 qmail-remote User Authentication

In a setting, where s/qmail has to serve multiple domains, you can set up qmail-remote to respect to act according to the domain's preferences:

Scenario 1 (control/authusers):

Based on the entire SMTP sending address, the domain part; or perhaps in general, one can specify the ESMTP username, the password, and hostname and port to connect to for ESMTP authentication.

However, if s/qmail depends on some remore relayhosts irrespectively of the sender, the following setup will be beneficial:

Scenario 2 (control/smtproutes):

Based on destination, qmail-remote can be advised to send emails on behalf of a (commonly known) username and password to a specific relayhost on a given port.

Note: authsenders settings have precedence over smtproutes.

5.9.2 qmail-remote Client Certificate Authentication

qmail-remote supports (as client) X.509 certificate validation and complementing section 5.5 regarding qmail-smtpd.

Now, the control file domaincerts may be employed to provide domain based X.509 authentication. This requires to include a X.509 + keyfile for a specific domain.

qmail-remote domaincerts provides the following capabilities:

• The PEM encoded X.509 certificate is given per sending domain (syntax):
  domain:certificate|keyfile|password

• If domain equals '* this certificate is used as default for all connections.
• The file certificate may include the private key, thus keyfile can be omitted.
• The private key can be protected with a password.

Note: It is certainly a good idea to change the permission of this file only to be readable by qmail-remote running as user qmailr.

5.10 SPF Records and Domain Authorization

Starting with release 3.2 s/qmail supports the Sender Policy Framework SPF. SPF is mainly a mechanism to attach authorization to particular MTAs; their IP address respectively. Based on Jana Saout's code, s/qmail incorporates a native SPF parser with IPv6 capabilities.

SPF is rather complex and provides mechanisms for recursive lookups as given in the SPF record. Here is the layout of qmail-smtpd's SPF implementation:

5.10.1 Checking SPF records

SPF DNS records are common these days for the 'big players' in the Internet, like Gmail and others. However, the may possess a certain level of complexity to parse including text-semantic analysis and delegation to other SPF domain providers.

In order get used to SPF, spfquery may be used to see, how the SPF information retrieval is working. In general, an email supplier (using ESMTP) publishes for this domain a specific DNS TXT record which provides authorization for (mainly) IP addresses of MTAs of the domain example.com. This domain name is taken from the 'Mail From:' SMTP envelope address (in case of bounce, the EHLO/HELO string). The idea is taken from Hadmuth Danisch's RMX proposal, which was sacked in the IETF letter ballot and replaced with the much more complex SPF model.

Within my SPF implementation the entire information retrieval path is provided as output from spfquery.

Here is a (complicated) sample for a FAIL result:

Here, the 'M' denotes the SPF mechanism, 'I' means include. All presented IP addresses are checked against the sending MTA's one. CIDR evaluation is supported.

Once SPF records are published into the DNS, one may specify, if a particular MTA

• is authorized (PASS '+'),
• should be rejected (FAIL '-'),
• is ambiguous (SOFTFAIL '~'), or
• is unknown (NEUTRAL '?')

according to the SPF policy for sending email from example.com as provided as SMTP Return-Path envelope address.

s/qmail provides a complex SPF record parser and supporting all 'mechanisms' as defined in RFC 4408.

5.10.2 SPF evaluation in qmail-smtpd

SPF records requires intensive DNS lookups and this is done at the stage 'RCPT TO:' by qmail-smtpd, thus other anti-Spam means will work before.

Advise: Use a local DNSCache to speed up the lookup and reduce the load of any potential recursive DNS Resolver.

qmail-smtpd provides three tweaks for the SPF setup:

1. The environment variable SPF is used as generic switch for the SPF evaluation. s/qmail follows Jana Saout's principals, as shown in the following table. However, no specific control file for qmail-smtpd is provided.
2. A local policy (as last resort) can be specified in spflocalrules. The former spfguess is not supported anymore.
3. More important, in case of an SPF Fail, the return code of qmail-smtpd can be customized to allow a site specific explanation. The default expression build in is:
   See http://%{d}/why.html?sender=%{s}&ip=%{i}&receiver=%{R}"

   This explanation uses the typical SPF macros, which are expanded at run-time.

SPF values to be specified for individual connections:

SPF values 1 to 3 are 'save' and can be used in a standard environment. Setting SPF="1" raises the possibility to allow a Mail Delivery Agent (MDA) to inspect the Received-SPF header for spam and fraud detection.

While SPF record evalution can be triggered by a standard qmail-smtpd environment variable set in the run script, it is advisiable to perform a stronger SPF evaluation only for 'unknown' MTAs. In order to feed downstream Spam detection systems, I recommend:

1. Within qmail-smtpd use SPF envaluation for all MTA (in the run script) defining "SPF=1" which means 'annotation' mode only.
2. Within tcpserver/sslserver's cdb include "SPF=2/SPF=3" in the last generic 'allow' statement.

Note: In case auf email authentication, no SPF evaluation is used.

5.10.3 SPF Received Header

qmail-smtpd generates a standard Received-SPF header, in case

• the provided SPF environment value is given and not null,
• the domain to lookup provides SPF records to be evaluated.

Thus, the Received-SPF header is only present in case SPF information has been looked up successfully or a particular DNS failure hase been recognized. A standard PASS situation looks like this:

The implementation is able to include all cases of SPF results ('+' pass, '-' fail, '~' softfail, '?' neutral, 'o' none, 't' temperror, 'e' permerror); however depends on a feed of SPF variables.

The (global) variable spfinfo is populated as set of concatenated individual values in the following manner:

1. identity carries the information of the retrieval source (i.e. recipient address, Helo greeting ...).
2. clientip is the IP of the sending host.
3. helo is the Helo greeting of the sender; if this is omitted, qmail-smtpd uses the received E/HELO string.
4. envelopefrom is the Return-Path from the envelope.
5. receiver is the recipient MTA.
6. problem includes a description of encountered errors.
7. mechanism is the purported evaluation method.
8. result is the result of the evaluation and is expressed in the standard tokens (i.e. '+', '-' ...).

Note 1: Except for result any of these variables may be empty/unsupplied.

Note 2: The provided information follows the guidelines in RFC 6376.

5.10.4 SPF Logging

qmail-smtpd displays the evaluated SPF information under two distinct conditions:

1. PASS: In case, the SPF information matches the received criterions, irrespectively of the SPF settings (SPF > 0) the email is labeled als SPF accepted and additional receiving information is added.
2. FAIL: In case SPF is setup to reject failed SPF evaluation, a Fail is indicated in the logs.

5.11 Sender Rewriting Scheme SRS

Starting with s/qmail 4.0, the modules srsforward and srsreverse are available taking care of sending and receiving emails with a SRS SMTP envelope addresses, though without requiring to install libsrs2.

Both modules are used within a dot-qmail file and evaluate the control file srsdomains declaring domains to be treated with SRS addresses. A virtual user 'srs' included into the control file virtualdomains may take care of bounces with SRS addresses.

SRS takes care of problems in the SPF scheme:

It should be noted, that SRS is not standarised. It is in fact a variant of VERP, comparable with BATV.

Assuming, your domain name is mydomain.org mails received from user@foo.org and is subject for srsforward, it will re-write the SMTP Return-Path address (RCPT TO:) in the following (minimal) way:

user@foo.org ==> SRS0+HHH=TT=foo.org=user@mydomain.org

SRS address ingredients:

• HHH: These three letters perform a cryptographic hash.
• TT: A timestamp, making the delivery unique and mitigates forgery of bounces.
• '+': The chosen delimiting character given in the control file srsdomains; while '=' and '-' are allowed as well. '=' is the default delimiter and this character is alos used in the rest of the local part of the SRS address.

While srsforward and srsreverse are usually called from a dedicated user's dot-qmail file, rather s/qmail allows in addition to facilitate the alias user for this task.

5.11.1 Forwarding mails with SRS

Enabling SRS in s/qmail you can setup a control file srsdomains. Here, you define some recipient domain names which eventually will forward mails via SRS, including cryptographic material to be used and additional configuration parameters. Let's assume, we are a MTA at mydomain.org and additionally serve 2ndomain.com and badadmin.org. We may setup up this srsdomains file:

This results in the following SRS settings:

• The first line defines the default: SRS forwarding is enabled for all received domains, defining 'mysecret' as base for the hash 'HHH' with delimiter "'"and providing the RCPT TO: address as 'srs.mydomain.org': SRS0-HHH=TT=foo.org=user@users.mydomain.org
• The second line defines a particular behaviour for '2ndomain.com' using three secrets, defaulting to the standard delimiter "=", and using srs.mydomain.org as RTCP TO: domain part: SRS0=HHH=TT=foo.org=user@srs.mydomain.org
• The third line shows the possibility to disable particular domains acting as SRS forwarder.

SRS forwarding is possible for recipient domains provisioned in srsdomains with a dedicated secret. If for example foo.org would *not* be present in the srsdomains file given above, the default '*' would be used and any of the given 'secrets' would be valid.

The settings are passive unlike somebody uses srsforward explicitely in a dot-qmail file. Forwarding emails for domains including SRS enhanced SMTP (RCPT TO:) address is triggered upon (local) receipt by a dot-qmail file:

Typically, this is the user's dot-qmail file. However, it could be a 'virtual user' as well, in particular within a vpopmail or vmailmgr setup; thus applicable for Qmail toasters as well. As a result, the email would be forwarded with the SRS enhanced RCPT TO: SMTP envelope address to all domains given in the .qmail file.

It should be noted that the arguments for srsforward - the domain names - can be constructed on-the-fly potentially using the environment variables provided by qmail-local and described in qmail-command.

5.11.2 Receiving bounces with SRS addresses

Having set up SRS and using the scheme, this SRS-enabled domain is responsible for potential bounces, resulting in case the recipient mailbox is not reachable. This is, because the SRS host has substituted the orignal domain-part in the SMTP RCPT TO: envelope with its own.

Quote from libsrs2 regarding SRS reverse:

To make it more explicit:

1. With SRS enabled, a bounce mail (eg. if the recipient is unvaialable) will always target the forwarding MTA, since the SMTP 'RCPT TO:' has been rewritten and includes in the domain part now the forwarding host's domain name.
2. The email needs to be received and thus a matching rcpthosts entry is required to be recognized by qmail-smtpd.
3. The SRS address needs to be 'unwrap' and the bounce forwarded to the original sender, which is only possible in case of matching 'secrets'.
4. The bounce sender in the SMTP MAIL FROM: needs to be chosen, but defaults to the NULL sender '<>'.

To provide such a service - here srsreverse - needs some care, because accepting unsolicited messages for third-party domains and forwarding those would result in an Open Relay. SRS copes with this, including a hash value and a time-stamp in the local part of the RCPT TO: address for SRS forwarded mails.

Here, we have two choices:

• We use our MTA's standard domain name for SRS forwarding and bounce handling..
• In a multi-tenant setup, we need to raise a subdomain to cope bounces received for any particular domain.

Given these circumstandes, handling of bounce mails with SRS envelope information (RCPT TO:) is simple:

srsreverse reconstructs from the SMTP envelope address of the incoming bounce mail the forseen (remote) recipient while verifying the legitimity of the SRS information; thus checking whether the bounce mail address is in accord with the information provided in srsdomains.

5.11.3 A usable setting for SRS

SRS forwarding shall be an exception. Mostly it happens, when mails need to be dispersed without a mailing listing manager like ezmlm. Here, sending domains might have a SPF record set, and thus need to get treated by SRS.

The handling of bounces is considered to be third order. You might follow these rules:

• Setting up ONE bounce policy for your MTA handling all SRS bounces: You need to setup a .qmail-default file (for the alias user) including the call of a srsreverse and handling bounces.
• More clever, you can raise a SRS subdomain (reachable via DNS MX), which needs to be configured in rcpthosts and locals e.g. as srs.mydomain.org together with a specific dot-qmail file (again for the alias user) .qmail-srs-default following the previous recipe.
• In an advanced multi-tenant environment, you can setup - aligned with your srsdomains definitions - dedicated dot-qmail files for virtual users together with entries in rcpthosts and virtualdomains.

5.11.4 Logging of SRS rewriting actions

Any delivery of srsforward and/or srsreverse will show up in the qmail-send log:

2020-02-25 14:01:34.029809500 delivery 2617: success: srsforward:_SRS0=shBI=4O=example.com=erwin@example.com/did_1+0+1/

5.12 DomainKeys Identified Mails

The task of DomainKeys Identified Mails (DKIM) is to provide autenticity and integrity for emails while adding a digital signature within the email header. This requires a cryptographic public/private key pair, a technical procedure, and a protocol which is defined in mainly RFC 6376 and RFC 8463. DKIM is only suited for SMTP and can not be used for QMTP, since this a byte and not a record-line transmission protocol.

The DKIM protocol includes three major steps:

• The canonicalization of the email, based on the CRLF line format.
• The signing procedure resulting in a DKIM header which includes the required information how the signature was generated, where to find the public key (in DNS), and the signature itself.
• The verification operation while parsing the mail given by the protocol information, generating the signature material to be compared against the signature as unfolded by the public key.

This prodecure is unfortunately quite complex, since it includes several canonicalization schemes, two different hash functions (SHA1 and SHA256), and two signature mechanisms: RSA and Ed25516.

For s/qmail I've refactored the public domain libdkim library from the ALT-N project, straightend the C++ code, removed obsolete implementation details and included Edwards ECC cryptography based on Ed25519.

The resulting module qmail-dkim is however API-compatible with libdkim given the fehQlibs are used additionally in order to provide DNS services.

In order to support DKIM signing and verification the following modules are now part of s/qmail:

1. qmail-dkim the main module for signing and verification, which can be used stand-alone.
2. qmail-dksign a stub-module called from qmail-rspawn, providing the input message at queue/dkim/X in order to sign it by qmail-dkim and storing it under queue/dkim/Y ready for qmail-remote to be send.



Figure: The interrelationship among qmail-rspawn, qmail-dksign, qmail-dkim, and qmail-remote. Arrows with open triangles show the message, the filled ones the program flow.
3. qmail-dkverify a is stub-module being responsibe for DKIM verification and called via the QMAILQUEUE="bin/qmail-dkverify" meachanism (QMAILQUEUE_EXTRA) invoked by qmail-smtpd. This will provide the message with enhanced CRs at queue/dkim/X to be verified by qmail-dkim. The CR stripped message is scheduled to qmail-queue.



Figure: The interrelationship among qmail-smptd, qmail-dkverify, qmail-dkim, and qmail-queue.

qmail-dkim supports the following signature algorithms:

1. RSA with SHA1
2. RSA with SHA256
3. RSA with SHA1 and SHA256
4. Ed25519 (with SHA256)
5. Ed25519 with RSA-SHA256

In order to operate and to provide the canonicalization, this version of s/qmail (4.2.x) raises an additional directory structure: queue/dkim/N/, where N is the argumente given in conf-split. These directories are thus staging directories for DKIM. This implies, that any DKIM processed email is read and written several times, which decreases performance. Due to the many operational steps and interdependencies (as seen in the figures above) a lot of concurrent file descripictors are used. This limit may be raised far above 1024 in order to achieve a high qmail-remote concurrency. Otherwise, the following message in qmail-sends's log may be seen:

Under Linux, you need to raise the available file descriptors. Typically the setting is done via /etc/security/limits.conf. Here, you need to include the following:

Now, you raise the FD limit to 4096 for both the users qmails and qmailr. Depending on your throughput, this number shall be even higher! In order to become effective, you need to restart qmail-send.

RSA SHA-256 and Ed25519 keys required:

1. A RSA private and public key, where the public key is presented as DER-enhanced and BASE64 encoded key in the DNS as TXT record typically given as default._domainkey.example.com where default is called the 'selector'.
2. An Ed25519 private and public key, where the public key is given as 'naked' BASE64 encoded key in the DNS with a distinct selector. Here, I have chosen the default name to be'eddy' resulting in an DNS name eddy._domainkey.example.com.

5.12.1 DKIM sign outgoing messages by qmail-dksign

qmail-dksign is a setuid module:

and is only invoked by qmail-rspawn if the control file

is present. Use the file control/dkimdomains to instruct qmail-dkim how to DKIM sign an outgoing message and provides the following customization:

Apart form the senddomain followed by a colon, all other parameters are optional. By default, a RSA signatature for SHA256 is generated.

• selector is used to prepend the artificial DKIM domain name selector._domainkey.example.com, where example.com is the sending domain for RSA signatures.
  If not explicitely given, it defaults to 'default'.
• selector2 is used for binding of the Ed25519 public key.
  If not explicitely given, it defaults to 'eddy'.
• SDID (Signing Domain Identifier) defaults usually to senddomain but may be chosen to any other FQDN. This permits to use the same FQDN in the DNS for different sending domains.
• AUID is the Agent/User Identifier and may contain additional information for some policy to be obeyed. Here, it has no specific meaning.
  In case AUID matches '~' (the 'tilde') automatically the provided 'Mail From:' address is substituded here.
• expire is the validity period of the signature in seconds and default to 604800.
• r|s|t|u specifies, how to canonicalize the message:
  • s simple/strict,
  • t relax on header, simple on body,
  • u simple on header, relax on body.
  • r is relax on header and body, the default here.
• 1|2|3|4|5 is the signature algorithm:
  1. RSA-SHA1.
  2. RSA-SHA256 (default).
  3. RSA-SHA1 + RSA-SHA256.
  4. Ed25519.
  5. Ed25519 + RSA-SHA256.
• l tells to include the length of the message in the DKIM header.

Note: selector and SDID can be chosen freely for any DKIM key but need to reflect the settings in the DNS for the domain name given of the DKIM TXT record.

5.12.2 DKIM key repository: ssl/domainkeys/fqdn

In s/qmail/ the X.509 cerificates, private keys, and other TLS materials are stored in the protected direcory /var/qmail/ssl/. This is enhanced now for the subdirectory domainkeys followed by the sending domain:

In order to work, a private domainkey file needs to exist at:

This structure roughly invertes the DNS name given for the DKIM public key:

Here, fqdn could be either the domain name or the hostname of the MTA.

• The file name <selector> needs to coincide with its setting in control/dkimdomains for the given domain.
• You can avoid the name in control/dkimdomains if the RSA <selector> defaults to 'default' or the Ed25519 <selector2> defaults to 'eddy'.
• Several different <selector>s may exisit in the domain's subdirectory; but only the one explicitely (or implicitely) given by control/dkimdomains becomes active for signing.

5.12.3 Generating DKIM keys

Domainkeys are generated by mkdkimkey; a script available in s/qmail's installation diretory ./scripts.
In order to enable it, follow these steps:

1. Within ./scripts call make. This will customise the shell script and creates mkdkimkey.
2. Copy this script to some useful location; potentially the s/qmail bin directory for easy use.

Upon calling the script without arguments, you get the usage information:

mkdkimkey will automatically generate the required keys in the target directory given by domain. Please obey the permissions of the keys. The domainkey private file is automatically raised to be readable only by qmail-dkim operating as qmailq user:

• The generated key files always carry the selector as appendix and thus the matching private and public key file can be identified unambiguously.
• Existing key files with the same selector name, are not automatically overwritten.
• In case of overwriting key files with the same selector name, the old ones are copied with extension .previous.
• The generated private key file is automatically symlinked to its selector name.
• Key generation can be done on-the-fly without side-effects.

5.12.4 Provisioning the DKIM public key in DNS

mkdkimkey will of course also generate the public key for your domain. You can always ask for a BIND compliant output to be used as DKIM TXT record for your DNS authoritive server:

It is important to understand, that only this step defines the binding between the domain name and the public key, which of course needs to be complemented by the private key.

Within the DKIM TXT record you need to specify which signature algorithm is used and you may include constraints on the hash function and on the usage. This is detailed in RFC 6376 Section 3.6. You may modify the generated DNS TXT record manually for your needs and deploy it afterwards in the DNS.

In case, you have a different DNS authoritative server (like tinydns), use their own generic format.

5.12.5 Chosing the DKIM signature procedure

qmail-dksign works multi-tenant, thus you can create individual (or none) keys per sending domain. Apart from that it allows parenting, thus a subdomain inherits the key of its parent, and also a default signing procedure. In any case: More specific settings have precedence over less specific ones.

In the file dkimdomains the following information can be given to be provisioned to qmail-dkim:

1. The sending domain before the colon (:). An asterix (*) is used to command signing an email origininating from any domain (even forwarded) with your domainkey.
2. The selector which is used to prepend the domainkey to allow key rollover. The default selector is default but can be customized. The private is always referenced as default irrespectable of your choice. Use selector as suffix for the private key.
3. The SDID (Sending Domain Information Identitifer). This allows you to use ONE domainkey to be supplied for serveral domains.
4. The AUID (Agent User Identity) used to delegate the DKIM signature to another domain.
5. The Lifetime of the signature. A receiving MTA should not accept DKIM signed message where the lifetime between sending and receiving is expired.
6. The Canonicalization of the email message (relaxed, simple, ...).
7. The Signature Algorithm to be used (1 or 2 or combined -3- for RSA or 4 for Ed25519).
8. Commands to include the Length of the signed message in the DKIM header (potentially required, if additional footers are added).

Individual domains can be excluded for signing. Here, you can indicate those with a prepending exclamation mark (!). Thus, control/dkimdomains allows you to provide a complete description of your DKIM settings per sending domains. However, there are the following drawbacks:

• You can specify to use concurrent RSA/SHA1 and RSA/SHA256 signatures to be included in the email's DKIM headers (they use the same private key).
• You always have to create a working symlink binding a domain in control/dkimdomains with the actual available DKIM private key under ssl/domainkeys/<domain>/signkey. Otherwise, qmail-rspawn will complain with the following error message:
  delivery 106: failure: Unable_to_run_qmail-remote./

5.12.6 DKIM Key-Rollover

It should be a standard procedure to generate new DKIM keys after a certain period, at least each year; depending on the signature strength.

In order to become effective, a new (public) domain key needs to be provisioned in the DNS some time before the private key is used for signing. The time span depends on the TTL of the DKIM key in DNS and should be at least a small multiple of it. Several DKIM DNS records with different selectors per domain may co-exist.

To allow a smooth transition, the old and the new public key need to be present in the DNS. A DKIM validating application, like qmail-dkverify will fetch both and try both for signature verification and succeed, if one key matches.

To support key-rollover, generate new DKIM keys. The new one shall be given a different selector comprising the DNS TXT record newselector._domainkey.example.com to be published in the DNS alongside with the old one. This old one should become retired and removed from the DNS in the next days, after the new selector was used for signing.

mkdimkkey generates new keys while appending the selector information in both the private and the public key. This prevents any ambiguity about the matching of private and public keys.

5.12.7 DKIM Key-Sharing

Another common usage allows to use the same public/private key pair for different domains. Here, you need to synchronize your local data as provisioned to qmail-dksign and the data in the DNS. The basic idea is, that all domains referring to the same public key in DNS share the same private key by a symlinking the source in ssl/domainkeys/.

• If you have raised keys for mydomain.org and would like the use the some for foreign.net set up the link:
  ssl/domainkeys/foreign.net -> ssl/domainkey/myddomain.org.
• Include an entry in control/dkimdomains:
  mydomain.org:
  foreign.net:|mydomain.org|

Thus, the DNS DKIM name - the SDID - to be looked up as provisioned in the DKIM header in the mail, points to an already existing DNS record while allowing you to save raising additional entries in the DNS and thus using the same selector, private and public key for several domains for DKIM signing and verification.

5.12.8 DKIM signature header

The information included in the DKIM header generated by qmail-dksign depends on you settings for the respective domain in control/dkimdomains. Let's give a sample using Ed25519 signatures:

The relevant pieces here are:

• d=exmple.com: The domain name for which the DNS DKIM lookup shall be raised for (SDID) enhanced with
• s=default, the selector,
• i=me@example.com the AUID (not used here),
• q=dns/txt use a DNS query to fetch the public key,
• h=Receveive:Date... the email headers to be included in the signing procedure,
• b=d7... the hash of body (here: SHA256),
• b=d7wD ... the calculated Ed25519 signature covering message headers and including the value of the body hash as well.

Note: Unlike RSA, Ed25519 does not allow to calculate the signature in a 'stream' format; rather it is done in one step only.

5.12.9 Verifying DKIM signed inbound messages by qmail-dkverify

The verification of DKIM signed email is possible upon receipt by qmail-dkverify used queue as plug-in called by qmail-smtpd while setting up: QMAILQUEUE="bin/qmail-dkverify" either in the start script or within the sslserver's cdb, which is the recommended way. This allows to fine-grain the DKIM verification and also to avoid 'false-negatives' for domains with a wrong DKIM DNS setup.

qmail-dkverify is again a setuid module

and works usually in annotation mode only. In case a a DKIM public key could be fetched from the respective DNS DKIM TXT record and the verification was successful, this this shown in the received email header only:

The 'X-Authentication-Results' header is included showing the result 'pass', the sending MTA 'piplus.example.com', and the DKIM verifying MTA: 'bigchief.heaven.com'. This additional header is based on the evaluation of the DKIM header and the DNS DKIM TXT public key for the domain (and selector) indicated in the signature header below, In case of a failure, the reason for this is explained verbose in parenthesis.

As can be seen: The DKIM signature is completely voluntary. Thus it is only provisioned if all boundary conditions are met. Therefore, it ist not useful as a trigger/filter for mail abuse. 'False-negatives' are mainly due to mis-configuration or expired/revoked keys.

However, you can reject emails with failed DKIM signature setting additionally the environment variable DKIM=+ alongside with the QMAILQUEUE="bin/qmail-dkverify" setting.

5.12.10 Addendum: DKIM Settings in DNS TXT Records

A DKIM record in the DNS is a simple TXT record, however with a defined data structure (RFC 6376):

• The data section consists of individual items.
• Each item is introduced by single character (the tag) followed by an equal sign (=): The identifier.
• Each item is terminated by a semi-colon ';' except for the last token, where this can be omitted.
• White spaces in the data section are permitted, but should be avoided to shorten the DNS information.

DKIM items: