Is it possible to reject an outgoing message if there is no (valid) DKIM record set for the sending domain name?
Hey there @astounding-quail, thanks for posting. To ensure the fastest resolution to your issue, please review the following and follow all the steps:
So with this, you just want to see a DNS record present for your selector? Or you want to ensure the DKIM signature validates on the signed message?
For the latter you could use dkim_verify - KumoMTA Docs
For the former you could probably use lookup_addr - KumoMTA Docs
Actually no, that is just A records. @free-spirited-yorksh is there a lookup DNS function for TXT records?
we don’t expose a lookup_txt to lua at the moment.
I would suggest using the dkim verify method for this use case though; you can call it right after you sign the message
Yeah, that does take things one step further, ensuring the signature is valid and not just that the DNS is present.
checking at reception time means that we won’t bother queuing the message. We don’t offer a way to check this sort of thing at delivery time, as long delays outside of the normal expected delivery process make it difficult for the shaping and scheduling to work as designed.
Ideally something done intermittently or when a new signing domain is encountered.
“long delays” here really means “conceptually long”; for an arbitrary event callback, we would have no way to predict its expected latency and manage to it
my use case here is that I want to prevent emails being sent out without a valid dkim dns record
some more context: i’m trying to build a transactional email provider, which can be used by any customer. so i want to be sure that they’ve added the dkim/spf records when sending out emails from a specific domain name
Often this would be handled in the web UI of the interface so that they can set up their DKIM, then the page validates it before they can generate messages. The MTA level check would be more of a security thing, a second line of defense in case the DKIM record changes. I’d say you do something like store known signing domains in Redis with a TTL, and when there’s no cached DKIM check you verify the signature of the next message that uses that domain, then cache it as checked for the next TTL window. That way you don’t take the performance hit of checking every message, but are able to keep an eye on messages. If the check fails, push back a permfail message. You may want to cache the failure so that you’re not checking every message of a user with a bad DKIM signature.
Yeah, that’s probably a better idea.
I think this is a task of the web ui, to for example daily check all DNS records, and if it’s not present anymore, then to remove the ‘allowed domain’ from the MTA
Yeah.
Would you save this ‘array of allowed sending domain names’ in for example a Vault?
That I’d keep in something like Redis, it’s more about a cache for which domains have validated recently.
Thanks!