2 June 2026
This is the first release under the PhoenixDKIM 1.0.0 line. It completes the rename to PhoenixDKIM, resets the version to 1.0.0, and introduces dynamic key backends with zero-downtime key rotation.
PhoenixDKIM is a standalone DKIM signing and verification milter — not a drop-in replacement for OpenDKIM. If you are coming from OpenDKIM or from Rspamd's DKIM signing, the new Coming From guide walks through a side-by-side trial: in most cases you keep your existing keys and DNS records and only change the milter.
The version line restarts at 1.0.0. The earlier 3.0.0-beta series carried over the numbering of the orphaned upstream beta this project forked from (and the interim opendkim-ng name); it is unrelated to this 1.0.0 line. A package manager may note the apparent version decrease — that is expected.
Binary phoenixdkim; tools phoenixdkim-genkey, -testkey, -genzone, -testmsg.
Configuration at /etc/phoenixdkim/phoenixdkim.conf — PhoenixDKIM never reads /etc/opendkim, so it coexists with an OpenDKIM install.
Library libphoenixdkim (SONAME libphoenixdkim.so.0); Lua policy API pdkim.* (odkim.* kept as a deprecated alias).
Configuration keywords and the KeyTable / SigningTable formats are unchanged, so configurations port across with minimal edits.
Built with libcurl (-DWITH_CURL=ON):
http: / https: and HashiCorp Vault (vault:) data-set backends, plus Redis — for keys that live outside flat files. Point the HTTP backend at a small bridge to reach SQL or LDAP.
Zero-downtime key rotation: a Vault secret can list several currently-valid selectors, and PhoenixDKIM signs with all of them at once — old and new, RSA and Ed25519 — across the overlap, so a key roll needs no flag day. The secret layout matches Rspamd's, so the same store signs in both.
RSA-SHA1 signing removed; an RSA-SHA1 signature is never treated as valid on verification (reported dkim=neutral, never dkim=pass, per RFC 8301).
2048-bit minimum RSA signing key; unmaintained subsystems (LDAP, SQL, BerkeleyDB, VBR, ATPS, RBL, reputation, statistics, ADSP, GnuTLS) removed — see Removed Features.
Full notes: 1.0.0-beta1 release notes; source and signatures on the Download page.