Skip to content

DkimSignature

Defines a DKIM signature used to sign outgoing email messages.

This object can be configured from the WebUI under Management › Domains › DKIM Signatures

DkimSignature is a multi-variant object: each instance has an @type discriminator selecting one of the variants below, and each variant carries its own set of fields.

DKIM1 (Ed25519 SHA-256)

Type: String?

Agent or user identifier included in the DKIM signature header

Type: DkimCanonicalization · default: "relaxed/relaxed"

Canonicalization algorithm applied to the headers and body before signing

Type: Duration?

Time after which this DKIM signature expires and should no longer be considered valid

Type: String[] · default: ["From","To","Date","Subject","Message-ID"]

List of message headers to include in the DKIM signature

Type: SecretText · required

PEM-encoded private key used to sign outgoing messages

Type: Text · server-set

PEM-encoded public key used to verify signatures, derived from the private key

Type: Boolean · default: true

Whether to request failure reports when signature verification fails on the recipient side

Type: String?

Authorized third-party signature value, used when signing on behalf of another domain

Type: DkimHash?

Hashing algorithm used to verify the authorized third-party signature DNS record

Type: Id<Domain> · required

Identifier for the domain this DKIM signature is associated with

Type: Id<Tenant>? · enterprise

Identifier for the tenant this DKIM signature belongs to

Type: String · required

Selector used to locate the DKIM public key in DNS

Type: UTCDateTime · server-set

Creation date of the DKIM signature

Type: UTCDateTime?

Date when this key will transition to the next rotation stage, or null if no transition is scheduled

Type: DkimRotationStage · default: "active"

Current stage of the DKIM key in its rotation lifecycle

DKIM1 (RSA SHA-256)

Type: String?

Agent or user identifier included in the DKIM signature header

Type: DkimCanonicalization · default: "relaxed/relaxed"

Canonicalization algorithm applied to the headers and body before signing

Type: Duration?

Time after which this DKIM signature expires and should no longer be considered valid

Type: String[] · default: ["From","To","Date","Subject","Message-ID"]

List of message headers to include in the DKIM signature

Type: SecretText · required

PEM-encoded private key used to sign outgoing messages

Type: Text · server-set

PEM-encoded public key used to verify signatures, derived from the private key

Type: Boolean · default: true

Whether to request failure reports when signature verification fails on the recipient side

Type: String?

Authorized third-party signature value, used when signing on behalf of another domain

Type: DkimHash?

Hashing algorithm used to verify the authorized third-party signature DNS record

Type: Id<Domain> · required

Identifier for the domain this DKIM signature is associated with

Type: Id<Tenant>? · enterprise

Identifier for the tenant this DKIM signature belongs to

Type: String · required

Selector used to locate the DKIM public key in DNS

Type: UTCDateTime · server-set

Creation date of the DKIM signature

Type: UTCDateTime?

Date when this key will transition to the next rotation stage, or null if no transition is scheduled

Type: DkimRotationStage · default: "active"

Current stage of the DKIM key in its rotation lifecycle

DKIM2 (Ed25519 SHA-256)

Type: Dkim2Flag[]

Policy flags added to the signature, requesting downstream handlers to honor delivery constraints or provide feedback

Type: SecretText · required

PEM-encoded private key used to sign outgoing messages

Type: Text · server-set

PEM-encoded public key used to verify signatures, derived from the private key

Type: Id<Domain> · required

Identifier for the domain this DKIM signature is associated with

Type: Id<Tenant>? · enterprise

Identifier for the tenant this DKIM signature belongs to

Type: String · required

Selector used to locate the DKIM public key in DNS

Type: UTCDateTime · server-set

Creation date of the DKIM signature

Type: UTCDateTime?

Date when this key will transition to the next rotation stage, or null if no transition is scheduled

Type: DkimRotationStage · default: "active"

Current stage of the DKIM key in its rotation lifecycle

DKIM2 (RSA SHA-256)

Type: Dkim2Flag[]

Policy flags added to the signature, requesting downstream handlers to honor delivery constraints or provide feedback

Type: SecretText · required

PEM-encoded private key used to sign outgoing messages

Type: Text · server-set

PEM-encoded public key used to verify signatures, derived from the private key

Type: Id<Domain> · required

Identifier for the domain this DKIM signature is associated with

Type: Id<Tenant>? · enterprise

Identifier for the tenant this DKIM signature belongs to

Type: String · required

Selector used to locate the DKIM public key in DNS

Type: UTCDateTime · server-set

Creation date of the DKIM signature

Type: UTCDateTime?

Date when this key will transition to the next rotation stage, or null if no transition is scheduled

Type: DkimRotationStage · default: "active"

Current stage of the DKIM key in its rotation lifecycle

The DkimSignature object is available via the urn:stalwart:jmap capability.

This is a standard Foo/get method as defined in RFC 8620, Section 5.1.

This method requires the sysDkimSignatureGet permission.

Terminal window
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:DkimSignature/get",
{
"ids": [
"id1"
]
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'

This is a standard Foo/set method as defined in RFC 8620, Section 5.3.

Supports create, update, and destroy operations in a single call.

This operation requires the sysDkimSignatureCreate permission.

Terminal window
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:DkimSignature/set",
{
"create": {
"new1": {
"@type": "Dkim1Ed25519Sha256",
"domainId": "<Domain id>",
"privateKey": {
"@type": "Text",
"secret": "Example"
},
"selector": "Example"
}
}
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'

This operation requires the sysDkimSignatureUpdate permission.

Terminal window
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:DkimSignature/set",
{
"update": {
"id1": {
"auid": "updated value"
}
}
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'

This operation requires the sysDkimSignatureDestroy permission.

Terminal window
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:DkimSignature/set",
{
"destroy": [
"id1"
]
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'

This is a standard Foo/query method as defined in RFC 8620, Section 5.5.

This method requires the sysDkimSignatureQuery permission.

Terminal window
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:DkimSignature/query",
{
"filter": {
"domainId": "id1"
}
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'

The x:DkimSignature/query filter argument accepts the following conditions (combinable with AnyOf / AllOf / Not per RFC 8620):

ConditionKind
domainIdid of Domain
memberTenantIdid of Tenant

stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.

Terminal window
stalwart-cli get DkimSignature id1
Terminal window
stalwart-cli create DkimSignature/Dkim1Ed25519Sha256 \
--field 'privateKey={"@type":"Text","secret":"Example"}' \
--field 'domainId=<Domain id>' \
--field selector=Example
Terminal window
stalwart-cli query DkimSignature
stalwart-cli query DkimSignature --where domainId=id1
Terminal window
stalwart-cli update DkimSignature id1 --field auid='updated value'
Terminal window
stalwart-cli delete DkimSignature --ids id1

A secret text value provided directly, from an environment variable, or from a file.

A secret text value provided directly.

Type: Text · required · secret

Password or secret value

A secret value read from an environment variable.

Type: String · required

Environment variable name to read the secret from

A secret value read from a file.

Type: String · required

File path to read the secret from

ValueLabel
relaxed/relaxedRelaxed/Relaxed
simple/simpleSimple/Simple
relaxed/simpleRelaxed/Simple
simple/relaxedSimple/Relaxed
ValueLabel
sha256SHA-256
sha1SHA-1
ValueLabel
activeDKIM key is published in DNS and used for signing
pendingDKIM key is scheduled for DNS publication and not yet active
retiringDKIM key has been superseded by a new key but still published in DNS
retiredDKIM key has been removed from DNS and is pending deletion
ValueLabel
donotmodifyRequest that the message not be modified in transit
donotexplodeRequest that the message not be delivered to more than one recipient
feedbackRequest feedback about how the message is handled during delivery