3 June 2026
Beta2 is a security and feature update.
An out-of-bounds write in dkim_getsighdr_d() during the tag-scan phase of header serialisation has been fixed. All users of beta1 should upgrade.
StdoutLog / -O flag — redirect all log output to stdout for container deployments; no syslog required.
StrictSignAlgorithm — fail closed when the algorithm in a KeyTable entry does not match the key type; prevents accidentally signing with a weaker algorithm than intended.
DNSSEC validation probe — PhoenixDKIM tests at startup whether the configured resolver performs DNSSEC validation, so unprotected key lookups are flagged in Authentication-Results.
phoenixdkim-testkey now summarises the whole-KeyTable batch result in its exit status, suitable for health checks.
phoenixdkim-genkey prints the SHA-256 public key fingerprint so operators can confirm DNS publication.
Lua policy module enabled by default (WITH_LUA=ON).
Reproducible-build support; initial RPM spec for Fedora / RHEL COPR.
New warnings for RSA keys shorter than 2048 bits and for l= body-length signing; parse-time permerror signatures are annotated with a reason.
Full notes: 1.0.0-beta2 release notes; source and signatures on the Download page.