[GH-ISSUE #21] DomainKeys/DKIM #15

New issue

Open

opened 2026-02-26 10:35:14 +03:00 by kerem · 7 comments

kerem commented 2026-02-26 10:35:14 +03:00

Owner

Copy link

Originally created by @AlexLaroche on GitHub (Mar 12, 2014).
Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/21

Should be interessant to add a DomainKeys signer at your existing DKIM signer and use any combinaison between Dkim, DomainKeys or DKIM/DomainKeys as it's possible in the EA DomainKeys/DKIM solution from Email Architect.

Originally created by @AlexLaroche on GitHub (Mar 12, 2014). Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/21 Should be interessant to add a DomainKeys signer at your existing DKIM signer and use any combinaison between Dkim, DomainKeys or DKIM/DomainKeys as it's possible in the EA DomainKeys/DKIM solution from Email Architect.

kerem added the

enhancement

agent

labels 2026-02-26 10:35:14 +03:00

kerem commented 2026-02-26 10:35:14 +03:00

Author

Owner

Copy link

@Pro commented on GitHub (Mar 13, 2014):

I think DomainKeys isn't worth the time to implement it since DKIM is the successor of DomainKeys and accepted of much more companies.

More important would be to implement #22 and #23, but if you want to invest your time into DomainKeys feel free to add it.

<!-- gh-comment-id:37504200 --> @Pro commented on GitHub (Mar 13, 2014): I think DomainKeys isn't worth the time to implement it since DKIM is the successor of DomainKeys and accepted of much more companies. More important would be to implement #22 and #23, but if you want to invest your time into DomainKeys feel free to add it.

kerem commented 2026-02-26 10:35:14 +03:00

Author

Owner

Copy link

@AlexLaroche commented on GitHub (Mar 13, 2014):

I don't agree with you that implement DomainKeys isn't worth the time.
I already know that DKIM is the successor of DomainKeys.
Unfortunately, DomainKeys is still use in some anti-spam filter of companies depending of worldwide location of the email destinations.
For that reason, it's for me a good reason to spend time to add this feature (if you send some newsletters or don't be block by the anti-spam filter, it's useful).

What is the best ways to change the app.config file to add the implementation?
The only encryption algorithm support is RsaSha1. Two canonicalization are possible : Simple and Nofws.
The domain key aren't affect by this change, we can use the same private key and the same selector. RecipientRule and SenderRule can be easy implement too.

<!-- gh-comment-id:37564899 --> @AlexLaroche commented on GitHub (Mar 13, 2014): I don't agree with you that implement DomainKeys isn't worth the time. I already know that DKIM is the successor of DomainKeys. Unfortunately, DomainKeys is still use in some anti-spam filter of companies depending of worldwide location of the email destinations. For that reason, it's for me a good reason to spend time to add this feature (if you send some newsletters or don't be block by the anti-spam filter, it's useful). What is the best ways to change the app.config file to add the implementation? The only encryption algorithm support is RsaSha1. Two canonicalization are possible : Simple and Nofws. The domain key aren't affect by this change, we can use the same private key and the same selector. RecipientRule and SenderRule can be easy implement too. <general LogLevel="3" HeadersToSign="From; Subject; To; Date; Message-ID;" Algorithm="RsaSha1" HeaderCanonicalization="Simple" BodyCanonicalization="Simple"/>

kerem commented 2026-02-26 10:35:14 +03:00

Author

Owner

Copy link

@Pro commented on GitHub (Mar 13, 2014):

Ah, ok, didn't know that. Then it would be nice to have DomainKeys too.

Regarding the app.config, we always have to keep backwards compatibility, at least for a few months until everyone has an updated version (we can check the config version and adapt to it programatically and warn the user to update the config, see for example here: github.com/Pro/dkim-exchange@c5239cdc53/Src/Exchange.DkimSigner/DkimSigningRoutingAgentFactory.cs (L127) (line 127-133)).

I think the best and cleanest solution would be to set the properties of DKIM and DomainKey in the custom section, and allow on each domain disabling and enabling DKIM and/or DomainKey:

<domainSection>
    <Domains>
        <Domain Domain="example.com" Selector="sel2012" PrivateKeyFile="keys/example.com.private" DKIM="true" DomainKey="false" SenderRule="user@.*" RecipientRule="yahoo\.[^\.]+"/>
    </Domains>
</domainSection>
<customSection>
    <general LogLevel="3" HeadersToSign="From; Subject; To; Date; Message-ID;"/>
    <dkim Algorithm="RsaSha1" HeaderCanonicalization="Simple" BodyCanonicalization="Simple"/>
    <domainKey Algorithm="RsaSha1" HeaderCanonicalization="Simple" BodyCanonicalization="Simple"/>
</customSection>

What's your opinion on this format?

<!-- gh-comment-id:37567882 --> @Pro commented on GitHub (Mar 13, 2014): Ah, ok, didn't know that. Then it would be nice to have DomainKeys too. Regarding the app.config, we always have to keep backwards compatibility, at least for a few months until everyone has an updated version (we can check the config version and adapt to it programatically and warn the user to update the config, see for example here: https://github.com/Pro/dkim-exchange/blob/c5239cdc530fe474e919d2dde5ed7bcbce783405/Src/Exchange.DkimSigner/DkimSigningRoutingAgentFactory.cs#L127 (line 127-133)). I think the best and cleanest solution would be to set the properties of DKIM and DomainKey in the custom section, and allow on each domain disabling and enabling DKIM and/or DomainKey: ``` xml <domainSection> <Domains> <Domain Domain="example.com" Selector="sel2012" PrivateKeyFile="keys/example.com.private" DKIM="true" DomainKey="false" SenderRule="user@.*" RecipientRule="yahoo\.[^\.]+"/> </Domains> </domainSection> <customSection> <general LogLevel="3" HeadersToSign="From; Subject; To; Date; Message-ID;"/> <dkim Algorithm="RsaSha1" HeaderCanonicalization="Simple" BodyCanonicalization="Simple"/> <domainKey Algorithm="RsaSha1" HeaderCanonicalization="Simple" BodyCanonicalization="Simple"/> </customSection> ``` What's your opinion on this format?

kerem commented 2026-02-26 10:35:14 +03:00

Author

Owner

Copy link

@AlexLaroche commented on GitHub (Mar 13, 2014):

The proposed solution for the app.config is very great.
It's a great idea to activate DKIM and DomainKeys by domain.
It's also add the possibility to disable a domain configuration.

But I'm not sure that it's a great idea to put a lot constraints in the code for backwards compatibility as you proposed.

1. Many network administrators doesn't read the event log until a problem occur. They will not see the notice.
2. Any decent network administrator will read the README file before to install any new version of a software on a server.
3. The backward compatibility introduce risk of mistake or unpredictable comportment for the software by the complexity added if it's not well implement or in any subsequent updates.

Could better solution could be a validation of the configuration file (app.config) when the DKIM Signer agent is load. (Occur when the EdgeTransport service start)
When a GUI for installation and for configuration will be available, the impact will be maybe less because the upgrade could be automatic.

What's your opinion about that?

<!-- gh-comment-id:37601271 --> @AlexLaroche commented on GitHub (Mar 13, 2014): The proposed solution for the app.config is very great. It's a great idea to activate DKIM and DomainKeys by domain. It's also add the possibility to disable a domain configuration. But I'm not sure that it's a great idea to put a lot constraints in the code for backwards compatibility as you proposed. 1) Many network administrators doesn't read the event log until a problem occur. They will not see the notice. 2) Any decent network administrator will read the README file before to install any new version of a software on a server. 3) The backward compatibility introduce risk of mistake or unpredictable comportment for the software by the complexity added if it's not well implement or in any subsequent updates. Could better solution could be a validation of the configuration file (app.config) when the DKIM Signer agent is load. (Occur when the EdgeTransport service start) When a GUI for installation and for configuration will be available, the impact will be maybe less because the upgrade could be automatic. What's your opinion about that?

kerem commented 2026-02-26 10:35:15 +03:00

Author

Owner

Copy link

@Pro commented on GitHub (Mar 14, 2014):

That's also a good idea to keep the code clean and checking the config when the agent is created.
I think we can simply throw an Exception in the constructor, which is then shown in the install script and should provide additional info about the wrong config parameter.

<!-- gh-comment-id:37602189 --> @Pro commented on GitHub (Mar 14, 2014): That's also a good idea to keep the code clean and checking the config when the agent is created. I think we can simply throw an Exception in the constructor, which is then shown in the install script and should provide additional info about the wrong config parameter.

kerem commented 2026-02-26 10:35:15 +03:00

Author

Owner

Copy link

@AlexLaroche commented on GitHub (Mar 19, 2014):

Do you where we can throw a exception in this function if the configuration file isn't correct? (unsupported option is pass)

This function is call for every domain and general configuration. We can remove the backwards compatibility if we can throw here a exception.

         public static TConfig GetCustomConfig<TConfig>(string sectionName) where TConfig : ConfigurationSection
        {
            AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(ConfigResolveEventHandler);
            configurationDefiningAssembly = Assembly.LoadFrom(Assembly.GetExecutingAssembly().Location);
            var exeFileMap = new ExeConfigurationFileMap();
            exeFileMap.ExeConfigFilename = Assembly.GetExecutingAssembly().Location + ".config";
            var customConfig = ConfigurationManager.OpenMappedExeConfiguration(exeFileMap, ConfigurationUserLevel.None);
            var returnConfig = customConfig.GetSection(sectionName) as TConfig;
            AppDomain.CurrentDomain.AssemblyResolve -= ConfigResolveEventHandler;
            return returnConfig;
        }

<!-- gh-comment-id:38110855 --> @AlexLaroche commented on GitHub (Mar 19, 2014): Do you where we can throw a exception in this function if the configuration file isn't correct? (unsupported option is pass) This function is call for every domain and general configuration. We can remove the backwards compatibility if we can throw here a exception. ``` public static TConfig GetCustomConfig<TConfig>(string sectionName) where TConfig : ConfigurationSection { AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(ConfigResolveEventHandler); configurationDefiningAssembly = Assembly.LoadFrom(Assembly.GetExecutingAssembly().Location); var exeFileMap = new ExeConfigurationFileMap(); exeFileMap.ExeConfigFilename = Assembly.GetExecutingAssembly().Location + ".config"; var customConfig = ConfigurationManager.OpenMappedExeConfiguration(exeFileMap, ConfigurationUserLevel.None); var returnConfig = customConfig.GetSection(sectionName) as TConfig; AppDomain.CurrentDomain.AssemblyResolve -= ConfigResolveEventHandler; return returnConfig; } ```

kerem commented 2026-02-26 10:35:15 +03:00

Author

Owner

Copy link

@Pro commented on GitHub (Mar 19, 2014):

I think it would be best to throw the exception in the Initialize function instead of the GetCustomConfig:
github.com/Pro/dkim-exchange@5e40356f0e/Src/Exchange.DkimSigner/DkimSigningRoutingAgentFactory.cs (L74)

There are already some examples on ConfigurationErrorsException calls. Instead of the Resources.* calls it would be better to write the error message directly, i.e. throw new ConfigurationErrorsException("Domain example.com error: attribute xy is replaced by zz.") This makes the code more readable.

<!-- gh-comment-id:38111837 --> @Pro commented on GitHub (Mar 19, 2014): I think it would be best to throw the exception in the Initialize function instead of the GetCustomConfig: https://github.com/Pro/dkim-exchange/blob/5e40356f0ee97a355c0a239e3cbac69b68228b16/Src/Exchange.DkimSigner/DkimSigningRoutingAgentFactory.cs#L74 There are already some examples on `ConfigurationErrorsException` calls. Instead of the `Resources.*` calls it would be better to write the error message directly, i.e. `throw new ConfigurationErrorsException("Domain example.com error: attribute xy is replaced by zz.")` This makes the code more readable.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/nuget/Src/Configuration.DkimSigner/MimeKit-4.7.1

Ed25519-SHA256

feature/dkim-verify

coverity_scan

v3.4.1.2

v3.4.2

v3.4.1.1

v3.4.1

v3.4.0

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.2.9

v3.2.8

v3.2.7

3.2.6

v3.2.5

v3.2.4

v3.2.4-alpha

v3.2.3.1

v3.2.3

v3.2.2

v3.2.0

v3.1.0

v3.0.13

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v3.0.0-beta.2

v3.0.0-beta

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.5-beta.2

v2.1.5-beta

v2.1.4

v2.1.3

v.2.1.2

v2.1.1

v2.1.0

v2.0.3

v2.0.2

v2.0.1

v2.0.0-beta.4

v2.0.0-rc.1

v2.0.0-beta.3

v2.0.0-beta.2

v2.0.0-beta

v2.0.0-alpha.1

v2.0.0-alpha

v1.8.3

1.8.2

v1.8.1

v1.8.0

v1.7.0

v1.6.0

v1.5.2

Labels

Clear labels   

agent

  

agent

  

bug

  

bug

  

enhancement

  

gui

  

invalid

  

need-info

  

question

  

wontfix

No labels

agent

agent

bug

bug

enhancement

gui

invalid

need-info

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/dkim-exchange-Pro#15

No description provided.