DkimSignature
DkimSignature
Section titled “DkimSignature”Defines a DKIM signature used to sign outgoing email messages.
This object can be configured from the WebUI under Management › Domains › DKIM Signatures
Fields
Section titled “Fields”DkimSignature is a multi-variant object: each instance has an @type discriminator selecting one of the variants below, and each variant carries its own set of fields.
@type: "Dkim1Ed25519Sha256"
Section titled “@type: "Dkim1Ed25519Sha256"”DKIM1 - Ed25519 SHA-256
Type:
String?Agent or user identifier included in the DKIM signature header
canonicalization
Section titled “canonicalization”Type:
DkimCanonicalization· default:"relaxed/relaxed"Canonicalization algorithm applied to the headers and body before signing
expire
Section titled “expire”Type:
Duration?Time after which this DKIM signature expires and should no longer be considered valid
headers
Section titled “headers”Type:
String[]· default:["From","To","Date","Subject","Message-ID"]List of message headers to include in the DKIM signature
privateKey
Section titled “privateKey”Type:
SecretText· requiredPEM-encoded private key used to sign outgoing messages
publicKey
Section titled “publicKey”Type:
Text· server-setPEM-encoded public key used to verify signatures, derived from the private key
report
Section titled “report”Type:
Boolean· default:trueWhether to request failure reports when signature verification fails on the recipient side
thirdParty
Section titled “thirdParty”Type:
String?Authorized third-party signature value, used when signing on behalf of another domain
thirdPartyHash
Section titled “thirdPartyHash”Type:
DkimHash?Hashing algorithm used to verify the authorized third-party signature DNS record
domainId
Section titled “domainId”Type:
Id<Domain>· requiredIdentifier for the domain this DKIM signature is associated with
memberTenantId
Section titled “memberTenantId”Type:
Id<Tenant>?· enterpriseIdentifier for the tenant this DKIM signature belongs to
selector
Section titled “selector”Type:
String· requiredSelector used to locate the DKIM public key in DNS
createdAt
Section titled “createdAt”Type:
UTCDateTime· server-setCreation date of the DKIM signature
nextTransitionAt
Section titled “nextTransitionAt”Type:
UTCDateTime?Date when this key will transition to the next rotation stage, or null if no transition is scheduled
Type:
DkimRotationStage· default:"active"Current stage of the DKIM key in its rotation lifecycle
@type: "Dkim1RsaSha256"
Section titled “@type: "Dkim1RsaSha256"”DKIM1 - RSA SHA-256
Type:
String?Agent or user identifier included in the DKIM signature header
canonicalization
Section titled “canonicalization”Type:
DkimCanonicalization· default:"relaxed/relaxed"Canonicalization algorithm applied to the headers and body before signing
expire
Section titled “expire”Type:
Duration?Time after which this DKIM signature expires and should no longer be considered valid
headers
Section titled “headers”Type:
String[]· default:["From","To","Date","Subject","Message-ID"]List of message headers to include in the DKIM signature
privateKey
Section titled “privateKey”Type:
SecretText· requiredPEM-encoded private key used to sign outgoing messages
publicKey
Section titled “publicKey”Type:
Text· server-setPEM-encoded public key used to verify signatures, derived from the private key
report
Section titled “report”Type:
Boolean· default:trueWhether to request failure reports when signature verification fails on the recipient side
thirdParty
Section titled “thirdParty”Type:
String?Authorized third-party signature value, used when signing on behalf of another domain
thirdPartyHash
Section titled “thirdPartyHash”Type:
DkimHash?Hashing algorithm used to verify the authorized third-party signature DNS record
domainId
Section titled “domainId”Type:
Id<Domain>· requiredIdentifier for the domain this DKIM signature is associated with
memberTenantId
Section titled “memberTenantId”Type:
Id<Tenant>?· enterpriseIdentifier for the tenant this DKIM signature belongs to
selector
Section titled “selector”Type:
String· requiredSelector used to locate the DKIM public key in DNS
createdAt
Section titled “createdAt”Type:
UTCDateTime· server-setCreation date of the DKIM signature
nextTransitionAt
Section titled “nextTransitionAt”Type:
UTCDateTime?Date when this key will transition to the next rotation stage, or null if no transition is scheduled
Type:
DkimRotationStage· default:"active"Current stage of the DKIM key in its rotation lifecycle
JMAP API
Section titled “JMAP API”The DkimSignature object is available via the urn:stalwart:jmap capability.
x:DkimSignature/get
Section titled “x:DkimSignature/get”This is a standard Foo/get method as defined in RFC 8620, Section 5.1.
This method requires the sysDkimSignatureGet permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:DkimSignature/get", { "ids": [ "id1" ] }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'x:DkimSignature/set
Section titled “x:DkimSignature/set”This is a standard Foo/set method as defined in RFC 8620, Section 5.3.
Supports create, update, and destroy operations in a single call.
Create
Section titled “Create”This operation requires the sysDkimSignatureCreate permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:DkimSignature/set", { "create": { "new1": { "@type": "Dkim1Ed25519Sha256", "domainId": "<Domain id>", "privateKey": { "@type": "Text", "secret": "Example" }, "selector": "Example" } } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'Update
Section titled “Update”This operation requires the sysDkimSignatureUpdate permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:DkimSignature/set", { "update": { "id1": { "auid": "updated value" } } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'Destroy
Section titled “Destroy”This operation requires the sysDkimSignatureDestroy permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:DkimSignature/set", { "destroy": [ "id1" ] }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'x:DkimSignature/query
Section titled “x:DkimSignature/query”This is a standard Foo/query method as defined in RFC 8620, Section 5.5.
This method requires the sysDkimSignatureQuery permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:DkimSignature/query", { "filter": { "domainId": "id1" } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'The x:DkimSignature/query filter argument accepts the following conditions (combinable with AnyOf / AllOf / Not per RFC 8620):
| Condition | Kind |
|---|---|
domainId | id of Domain |
memberTenantId | id of Tenant |
stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.
stalwart-cli get DkimSignature id1Create
Section titled “Create”stalwart-cli create DkimSignature/Dkim1Ed25519Sha256 \ --field 'privateKey={"@type":"Text","secret":"Example"}' \ --field 'domainId=<Domain id>' \ --field selector=Examplestalwart-cli query DkimSignaturestalwart-cli query DkimSignature --where domainId=id1Update
Section titled “Update”stalwart-cli update DkimSignature id1 --field auid='updated value'Delete
Section titled “Delete”stalwart-cli delete DkimSignature --ids id1Nested types
Section titled “Nested types”SecretText
Section titled “SecretText”A secret text value provided directly, from an environment variable, or from a file.
Text: Secret value. Carries the fields ofSecretTextValue.EnvironmentVariable: Secret read from environment variable. Carries the fields ofSecretKeyEnvironmentVariable.File: Secret read from file. Carries the fields ofSecretKeyFile.
SecretTextValue
Section titled “SecretTextValue”A secret text value provided directly.
secret
Section titled “secret”Type:
Text· required · secretPassword or secret value
SecretKeyEnvironmentVariable
Section titled “SecretKeyEnvironmentVariable”A secret value read from an environment variable.
variableName
Section titled “variableName”Type:
String· requiredEnvironment variable name to read the secret from
SecretKeyFile
Section titled “SecretKeyFile”A secret value read from a file.
filePath
Section titled “filePath”Type:
String· requiredFile path to read the secret from
DkimCanonicalization
Section titled “DkimCanonicalization”| Value | Label |
|---|---|
relaxed/relaxed | Relaxed/Relaxed |
simple/simple | Simple/Simple |
relaxed/simple | Relaxed/Simple |
simple/relaxed | Simple/Relaxed |
DkimHash
Section titled “DkimHash”| Value | Label |
|---|---|
sha256 | SHA-256 |
sha1 | SHA-1 |
DkimRotationStage
Section titled “DkimRotationStage”| Value | Label |
|---|---|
active | DKIM key is published in DNS and used for signing |
pending | DKIM key is scheduled for DNS publication and not yet active |
retiring | DKIM key has been superseded by a new key but still published in DNS |
retired | DKIM key has been removed from DNS and is pending deletion |