13 May 2026
beta5 is a substantive release. beta6 through beta10 are a sequence of CI fixes — each one fired to see whether the GitHub Actions workflow would correctly build and publish packages. It did, eventually.
CVE-2020-12272: missing character-set validation on the d= tag value in the DKIM Signature header.
CVE-2020-35766: the test harness used a hardcoded /tmp/testkeys path, making key material predictable and potentially writable by other local users.
CVE-2022-48521: a crafted email with a malformed DKIM signature could trigger abnormal termination of the daemon. Never fixed in the upstream OpenDKIM project.
The issues below are bug reports and feature requests filed against the original OpenDKIM project that were never addressed upstream. As part of this fork, we went through the full backlog and fixed all applicable issues.
Issue #222: the Minimum configuration option accepts a percentage value (e.g. 100%) to require that at least that fraction of the message body is covered by a DKIM signature. A message with an empty body caused a division by zero.
Issue #229: use refile: in t-sign-rs-tables-bad to properly exercise the sign-table validation walk.
Issue #233: report dkim=policy for signatures carrying DKIM_SIGFLAG_IGNORE.
Issue #244: fix an always-false NULL check on the mctx_domain array.
Issue #262: correct DKIM_STAT_KEYFAIL handling in mlfi_eoh and mlfi_eom.
Fix use-after-free in mlfi_close; remove dead QUERY_CACHE blocks from the same function.
Insert added headers before all existing headers rather than appending them.
Guard NULL %s arguments in miltertest snprintf calls.
Correct swapped state assertions in miltertest's DATA handler.
Replace assert() with a logged guard in dkimf_config_free().
Removed the opendbx backend. opendbx was an abstraction layer that had provided access to MySQL, PostgreSQL, SQLite, MSSQL, and other databases, but has been abandoned upstream and is no longer maintainable. Also removed: the BerkeleyDB, Erlang, and several other backends that are no longer in a position to be actively maintained.
Added a Redis/Valkey backend via hiredis.
Fixed bugs in the LMDB and datasplit backends.
Systemd: do not create a PID file; do not fork. Let systemd manage the process lifecycle. Added a generic service file in contrib/systemd/.
Patched Lua interface for Lua 5.5+ API changes.
Moved the sample configuration file to /usr/share/doc/opendkim-ng/; the /etc/opendkim.conf conffile entry is dropped — administrators provide their own.
Matrix build for Debian bookworm and trixie.
Post-release dispatch to the apt repository.
Various workflow and artifact-naming fixes accumulated while getting all of the above to fire correctly.