Skip to content

kumo.dkim.rsa_sha256_signer {PARAMS}

Create a DKIM signer that uses RSA SHA256.

-- Called once the body has been received.
-- For multi-recipient mail, this is called for each recipient.
kumo.on('smtp_server_message_received', function(msg)
  local signer = kumo.dkim.rsa_sha256_signer {
    domain = msg:from_header().domain,
    selector = 'default',
    headers = { 'From', 'To', 'Subject' },
    key = 'example-private-dkim-key.pem',
  }
  msg:dkim_sign(signer)
end)

PARAMS is a lua table that can have the following keys:

domain

Required. The domain for which the mail is being signed.

selector

Required. The selector used for signing

headers

Required. The list of headers which should be signed.

atps

Optional string. Allows setting the Authorized Third-Party signature.

atpsh

Optional string. Set the Authorized Third-Party Signature hashing algorithm.

agent_user_identifier

Optional string. Sets the Agent of User Identifier (AUID) to use for signing.

expiration

Optional number. Sets the number of seconds from now to use for the signature expiration.

body_length

Optional boolean. If true, the body length will be included in the signature.

reporting

Optional boolean. If true, the signature will be marked as requesting reports from the receiver/verifier.

header_canonicalization

Specify the canonicalization method to be used when hashing message headers. Can be one of:

  • "Relaxed" - this is the default
  • "Simple"

body_canonicalization

Specify the canonicalization method to be used when hashing message body. Can be one of:

  • "Relaxed" - this is the default
  • "Simple"

key

Required. Specify the signing key data.

The value is a KeySource.

The key data must be either RSA PEM or a PKCS8 PEM encoded.

local file_signer = kumo.dkim.rsa_sha256_signer {
  domain = msg:from_header().domain,
  selector = 'default',
  headers = { 'From', 'To', 'Subject' },
  key = '/path/to/example-private-dkim-key.pem',
}

Tip

The KeySource page explains how to read from HashiCorp Vault or from an arbitrary source of data.

ttl

Optional number. Specifies the time-to-live (TTL) in KumoMTA's DKIM signer cache. The default is 300 seconds.

Each call to this function with the same parameters is cached for up to the specified TTL in order to avoid the overhead of repeatedly load the key from disk.

Last update: 2023-09-08
Created: 2023-02-25