PhoenixDKIM is a DKIM signing and verifying milter built around modern cryptography, safe defaults, and verifiable builds. The highlights below are the features that matter most when you run it.
Cryptography | Key management | Safe defaults | Observability | Extensible | Reproducible builds
http:/https: service, and HashiCorp Vault
(vault:), all interchangeable.dkim=neutral, never dkim=pass)
per RFC 8301, with On-WeakAlgorithm choosing only the message
disposition._FORTIFY_SOURCE, stack-protector and stack-clash protection, a
non-executable stack, and Intel CET where the hardware supports it).UnprotectedKey), a control most DKIM implementations don't
expose. It works with the stock validating resolver via the reply's AD bit, so
libunbound is not required. A missing AD bit is treated as
ambiguous rather than "insecure": before penalising a signature,
PhoenixDKIM runs a DNSSECProbe (modelled on
Postfix's dnssec_probe) to
confirm the resolver actually validates, logs the disposition it applies, and
suppresses the penalty when validation can't be confirmed — so a
non-validating resolver never silently fails every message./metrics HTTP endpoint,
and a StatsD UDP pusher, all
dependency-free and off until you configure them. Scrape the milter directly,
hand a file to the node_exporter text-file collector, or push over UDP,
whichever suits your stack. Counts of messages, signatures (by result and
algorithm), verifications (by RFC 8601 result), and DNS queries, plus a
DNS-latency histogram. An OpenTelemetry Collector can ingest any of them, so
the numbers reach Grafana, Datadog, and the rest without a native exporter in
the daemon.key=value log entry per message (action, result, domain,
algorithm), the human-readable companion to the counters and a natural feed
for log-based tooling./metrics endpoint is strictly opt-in, has no authentication or TLS
of its own, and is meant to be bound to loopback or a trusted management
address (put a reverse proxy in front if you need auth or TLS).