DKIM module

This module verifies the authenticity of emails through the analysis of DKIM signatures. The presence of a valid DKIM signature indicates that the message has been trusted and signed by a recognized source. For example, if a message comes from then a valid DKIM signature means that this message was definitely signed by (unless private key has been compromised, which is not a likewise case).

Supported features

Rspamd effectively handles a variety of DKIM signatures and message canonicalization techniques. However, a common challenge in DKIM is the handling of line endings, as different mail transfer agents (MTAs) may treat them differently, resulting in invalid signatures. To mitigate this issue, Rspamd treats line endings as CR+LF that which is compatible with the majority of DKIM implementations.


DKIM module has several useful configuration options:

  • symbol_allow (string): symbol to insert in case of allow (default: ‘R_DKIM_ALLOW’)
  • symbol_reject (string): symbol to insert (default: ‘R_DKIM_REJECT’)
  • symbol_tempfail (string): symbol to insert in case of temporary fail (default: ‘R_DKIM_TEMPFAIL’)
  • symbol_permfail (string): symbol to insert in case of permanent failure (default: ‘R_DKIM_PERMFAIL’)
  • symbol_na (string): symbol to insert in case of no signing (default: ‘R_DKIM_NA’)
  • whitelist (map): map of whitelisted networks
  • domains (map): map of domains to check
  • strict_multiplier (number): multiplier for strict domains
  • time_jitter (number): jitter in seconds to allow time diff while checking
  • trusted_only (boolean): check signatures only for domains in ‘domains’ map
  • dkim_cache_size (number): cache up to 1000 of the most recent DKIM records
  • dkim_cache_expire (time): default max expire for an element in this cache
  • skip_multi (boolean): skip DKIM check for messages with multiple signatures

DKIM signatures

Please use dkim_signing module for DKIM signatures.