simple-login / app

The SimpleLogin back-end and web app
https://simplelogin.io
GNU Affero General Public License v3.0
5.15k stars 437 forks source link

dkim customizations (bug: migration invalidates dkim signatures on previous emails) #2057

Open locknut opened 8 months ago

locknut commented 8 months ago

I'm migrating email for an existing domain to simplelogin.io, this domain has existed for 10+ years and has already had DKIM setup with the selector "dkim".

Prerequisites

Bug report

Describe the bug

To migrate to simplelogin, I'm obliged to replace the contents of that specific existing DKIM DNS record with simplelogin.io's supplied DKIM DNS record value for the same selector ("dkim") that's been in use for 10+ years. This is fine for all future emails, but unfortunately many email clients actively re-validate DKIM signatures every time an email is opened, and will present a rather scary warning to the user if DKIM validation suddenly starts failing for old messages - even if the message headers clearly indicate that DKIM passed at time of receipt.

That's a problem I'd really rather avoid.

Expected behavior

Options:

  1. The ability to import custom public/private keys for DKIM (while continuing to use the existing DKIM selector names - dkim, dkim02, dkim03), on a per domain basis.

  2. The ability to modify the DKIM selector values (while still using simplelogin.io's signing keys & DNS records), on a per domain basis. So instead of this:

dkim._domainkey.mycustomdomain.com.    IN   CNAME     dkim._domainkey.simplelogin.co.
dkim02._domainkey.mycustomdomain.com.    IN   CNAME     dkim02._domainkey.simplelogin.co.
dkim03._domainkey.mycustomdomain.com.    IN   CNAME     dkim03._domainkey.simplelogin.co.

I could do this:

dkimsl._domainkey.mycustomdomain.com.    IN   CNAME     dkim._domainkey.simplelogin.co.
dkimsl02._domainkey.mycustomdomain.com.    IN   CNAME     dkim02._domainkey.simplelogin.co.
dkimsl03._domainkey.mycustomdomain.com.    IN   CNAME     dkim03._domainkey.simplelogin.co.
  1. The ability to disable specific DKIM selectors from being used, while keeping others enabled, on a per domain basis. If I could just disable "dkim" while keeping "dkim02" and "dkim03" enabled, then that would solve my problem.

Screenshots

N/A

Environment (If applicable):

N/A

Additional context

N/A