{"id":19794572,"url":"https://github.com/realityripple/personaldkim","last_synced_at":"2026-05-09T20:47:44.048Z","repository":{"id":115016833,"uuid":"149854735","full_name":"RealityRipple/PersonalDKIM","owner":"RealityRipple","description":"🖊️ Add a DKIM header to your outgoing messages.","archived":false,"fork":false,"pushed_at":"2024-01-26T00:30:14.000Z","size":28,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-02-28T16:05:27.092Z","etag":null,"topics":["certificate","dkim","dkim-header","dns-record","openssl","pkcs","rsa-key","thunderbird"],"latest_commit_sha":null,"homepage":"https://realityripple.com/Software/Mozilla-Extensions/PersonalDKIM/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RealityRipple.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"custom":"https://realityripple.com/donate.php?itm=PersonalDKIM","patreon":"realityripple","ko_fi":"realityripple"}},"created_at":"2018-09-22T07:18:10.000Z","updated_at":"2024-04-10T11:12:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"2b3b9181-c480-4e81-a869-dbd41c17f02f","html_url":"https://github.com/RealityRipple/PersonalDKIM","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/RealityRipple/PersonalDKIM","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RealityRipple%2FPersonalDKIM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RealityRipple%2FPersonalDKIM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RealityRipple%2FPersonalDKIM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RealityRipple%2FPersonalDKIM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RealityRipple","download_url":"https://codeload.github.com/RealityRipple/PersonalDKIM/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RealityRipple%2FPersonalDKIM/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":285852003,"owners_count":27242460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-22T02:00:05.934Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","dkim","dkim-header","dns-record","openssl","pkcs","rsa-key","thunderbird"],"created_at":"2024-11-12T07:13:37.120Z","updated_at":"2025-11-22T20:04:03.713Z","avatar_url":"https://github.com/RealityRipple.png","language":"JavaScript","funding_links":["https://realityripple.com/donate.php?itm=PersonalDKIM","https://patreon.com/realityripple","https://ko-fi.com/realityripple"],"categories":[],"sub_categories":[],"readme":"# PersonalDKIM\nAdd a DKIM header to your outgoing messages.\n\n#### Supports\n * Thunderbird [38.0.1 - 60.*]\n\n## Building\nSimply download the contents of the repository and pack the contents (sans git data) into a .zip file. Then, rename the file to .xpi and drag into the browser.\n\n## Download\nYou can grab the latest release from the [Official Web Site](//realityripple.com/Software/Mozilla-Extensions/PersonalDKIM/).\n\n## Caveats\nUnfortunately, there are currently multiple issues with PersonalDKIM's implementation.\n\u003e First off, the message body is not hashed in the case of HTML or mixed content messages (including plain-text with attachments). Additionally, the message type can not be determined in versions of Thunderbird below 52. For these messages, the body length to be hashed is set to \"0\". Thunderbird does not provide a fully formatted mail body during the send process.\n\n\u003e Secondly, many headers are not set in time for the signing process. Particularly the Date, Message-ID, and MIME headers. This means that the signed header list is limited to the To, From, and Subject entries in most cases.\n\n\u003e Third, replay attacks may be possible in situations where the body is not hashed, because the Date and Message-ID headers have not been set. The use of SPF is **highly** recommended to help combat this vulnerability.\n\n\u003e Fourth, Thunderbird does not like appending headers over a certain size, which means that 2048-bit and larger keys will not work as expected. The resulting signature is simply too long when large keys are used.\n\n\u003e Finally, at present, your Private Key is stored plainly in the Thunderbird config, not as a certificate. As far as I know, the certificates used for DKIM can not be imported into the Certificate Management system. Passwords are stored via Thunderbird's Password Manager, so if you're worried about security, please use a PKCS#5 or PKCS#8 encrypted key. You may also wish to use the `master password` feature.\n\nThe main thing I want to get across is that this extension is **not** secure. Do not use this extension for anything that requires cryptographic robustness, and do not reuse the Private Key for _anything_ else.\n\n## Generating Keys\nThe optimal key format is a 1024-bit SHA-2 RSA key in PKCS#1 or PKCS#8. The reason is that RSA is the only standard mentioned in the DKIM specification, so it has the widest chance of being recognized by DKIM verification tools around the world. The reason for the bit-size, as is mentioned in the fourth caveat above, is simply that Thunderbird doesn't like long header data. Anything less than 1024 bits is not considered secure, and 2048 is too much, and who knows what might happen if you try to make a 1536-bit key?\n\nThe best method for generating keys is probably OpenSSL, as always. You can use PuTTYgen, but you'll have to convert the Public Key for the DNS record and export the Private Key as an OpenSSH key (PKCS rather than PuTTY's own PPK format).\n\nThe final output should always be in PEM format, not DER.\n\n```SH\nopenssl genrsa -out priv.pem 1024\nopenssl rsa -in priv.pem -pubout -out pub.pem\n```\n\nThe contents of `pub.pem` will be used in your DNS record:\n\n```DNS\nselector._domainkey.host.tld 3600 IN TXT\n  \"v=DKIM1; k=rsa; p=[base64 contents of pub.pem]\"\n```\n\nThe `selector` value will be a kind of ID to mean that this key is being used, so make sure it's something unique. You'll use this value in the PersonalDKIM options.\n\nThe `host.tld` value is your domain name, of course. It should be the same domain name as your E-Mail address uses, but there are cases when it doesn't have to be.\n\nIf you're not using an RSA key, set the `k` value to the algorithm you used for key generation.\n\nThe `p` value will be the contents of your `pub.pem` file, or at least the contents that are Base64-encoded and surrounded by the dashed PEM header and footer. Make sure no lingering new lines are retained when making your DNS record.\n\nThe contents of `priv.pem` should not be modified. This file is the one you'll select as your Private Key in the PersonalDKIM options. If you want to protect the key, convert it to a PKCS#5 or encrypted PKCS#8 key.\n\n##### PKCS#5:\n```SH\nopenssl rsa -des3 -in priv.pem -out spriv5.pem\n```\n\n#### PKCS#8:\n```SH\nopenssl pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA1 -in priv.pem -out spriv8.pem\n```\n\nAt present, hmacWithSHA256 is not supported.\n\nYou can generate EC or DSA keys with OpenSSL in the same manner and convert them the same way.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frealityripple%2Fpersonaldkim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frealityripple%2Fpersonaldkim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frealityripple%2Fpersonaldkim/lists"}