search

jhermsmeier / node-dkim

DomainKeys Identified Mail
MIT License
10 stars 11 forks source link

can you document `verify` method further? #6

Open niftylettuce opened 5 years ago

niftylettuce commented 5 years ago

The source code is quite confusing https://github.com/jhermsmeier/node-dkim/blob/2866c2f6521f20455c94b40d514ef015c8e8770d/lib/verify-signature.js#L76. So if one record fails verification, do all? What does the object look like? Is there a way to just get a true/false on an email if it passes DKIM? Do we have to do it like the test where you iterate over every result and ensure result.verified is true? Is result always an object?

Thanks again!!!

jhermsmeier commented 5 years ago

So if one record fails verification, do all? What does the object look like? Is result always an object?

No, DKIM.verifySignature() only verifies one signature at a time. You'll want to use DKIM.verify( message, callback ) (unless you want to verify a specific signature), which verifies all DKIM signatures found in the message, and returns an array of results. The result array of DKIM.verify() contains verification results of the shape

{
  verified: Boolean,
  status: DKIM.NONE | DKIM.OK | DKIM.TEMPFAIL | DKIM.PERMFAIL,
  error: Error?,
  signature: DKIM.Signature?,
  key: DKIM.Key?
}

which should allow you to select / filter / etc. for the signatures you're interested in.

For DKIM.verifySignature() it's a bit different – it only verifies one specific signature (which requirers all other DKIM headers to be filtered), and takes the arguments

( body: Buffer, headers: Array<String>, callback: Function )

and it's result is of the same shape as above. This method is mainly for internal use.

Is there a way to just get a true/false on an email if it passes DKIM? Do we have to do it like the test where you iterate over every result and ensure result.verified is true?

Short answers: Nope-ish, yes.

There currently is no method to get a simple true / false for DKIM signatures of a message, as a message can have multiple signatures, and each of them can fail in various ways (general error, NONE, TEMPFAIL, PERMFAIL).

This library merely aims to facilitate parsing & checking of DKIM keys & signatures etc., but the decision of which signatures and verification states to honour, rely and act upon is up the consumer. If you're just interested in a simple boolean, the following would be the simplest it can offer at this time:

DKIM.verify( message, ( error, results ) => {

  if( error ) {
    // This should only happen should something go fundamentally wrong,
    // for example because of the lack of an internet connection, lack of key / signature,
    // or Key / Signature syntax errors
  }

  // Whether all signatures check out
  var verified = results.every(( result ) => {
    return result.verified
  })

})

All of these things you touched on do need some improvement, and I'll probably work on dkim in the coming days / weeks to make it easier to work with and improve the documentation.