DKIM module

This module checks DKIM signatures for emails scanned. DKIM signatures can establish that this specific message has been signed by a trusted relay. For example, if a message comes from then a valid DKIM signature means that this message was definitely signed by (unless private key has been compromised, which is not a likewise case).

Supported features

Rspamd can deal with many types of DKIM signatures and messages canonicalisation. The major difficulty with DKIM are line endings: many MTA treat them differently which leads to broken signatures. Basically, rspamd treats all line endings as CR+LF that is compatible with the most of DKIM implementations.


DKIM module has several useful configuration options:

  • symbol_allow (string): symbol to insert in case of allow (default: ‘R_DKIM_ALLOW’)
  • symbol_reject (string): symbol to insert (default: ‘R_DKIM_REJECT’)
  • symbol_tempfail (string): symbol to insert in case of temporary fail (default: ‘R_DKIM_TEMPFAIL’)
  • symbol_permfail (string): symbol to insert in case of permanent failure (default: ‘R_DKIM_PERMFAIL’)
  • symbol_na (string): symbol to insert in case of no signing (default: ‘R_DKIM_NA’)
  • whitelist (map): map of whitelisted networks
  • domains (map): map of domains to check
  • strict_multiplier (number): multiplier for strict domains
  • time_jitter (number): jitter in seconds to allow time diff while checking
  • trusted_only (boolean): check signatures only for domains in ‘domains’ map
  • dkim_cache_size (number): cache up to 1000 of the most recent DKIM records
  • dkim_cache_expire (time): default max expire for an element in this cache
  • skip_multi (boolean): skip DKIM check for messages with multiple signatures

DKIM signatures

Please use dkim_signing module for DKIM signatures.