sk_dkim : Deterministic DKIM Key Generation
Table of Contents
Introduction
sk_dkim is a Rust library designed to generate DomainKeys Identified Mail (DKIM) keys and DNS TXT records deterministically. Instead of managing and storing private key files for every domain, you can derive the necessary Ed25519 keys on-the-fly using a single secret seed (Secret Key) combined with the domain name and selector.
This approach simplifies key management, especially for services managing DKIM for multiple domains, as it eliminates the need for stateful storage of private keys.
Usage
Add sk_dkim to your Cargo.toml:
[]
= { = "0.1.1", = ["pk"] }
Note: The
pkfeature is required to generate the formatted TXT record string.
Example
use Sk;
Design
The core philosophy of sk_dkim is determinism.
- Initialization: The
Skstruct is initialized with a base secret seed. This seed initializes aBLAKE3hasher. - Derivation: When
dkim(selector, domain)is called, the hasher is cloned and updated with theselectoranddomain. - Key Generation: The final hash digest is used as the seed to generate an Ed25519 signing key.
- Output: The public part of the key is encoded in Base64 and formatted into a standard DKIM TXT record.
This process ensures that as long as the secret seed remains constant, the generated DKIM keys for any given domain will always be the same.
API Reference
struct Sk
The main entry point for key generation.
-
Sk::new(sk: impl AsRef<[u8]>) -> SelfCreates a newSkinstance using the provided secret seed. -
Sk::dkim(&self, prefix: impl AsRef<str>, host: impl AsRef<str>) -> DkimDerives aDkiminstance for the specified selector (prefix) and domain (host).
struct Dkim
Represents the generated DKIM key pair.
-
pub sk: ed25519_dalek::SigningKeyThe underlying Ed25519 signing key. -
Dkim::txt(&self) -> String(Requirespkfeature) Returns the formatted DKIM DNS TXT record string (e.g.,v=DKIM1;k=ed25519;p=...).
Tech Stack
- Rust: Core language.
- ed25519-dalek: Fast and secure Ed25519 key generation and signing.
- blake3: Cryptographic hashing for deterministic key derivation.
- base64: Encoding the public key for DNS records.
Directory Structure
.
├── Cargo.toml # Project configuration and dependencies
├── readme/ # Documentation
│ ├── en.md # English README
│ └── zh.md # Chinese README
├── src/ # Source code
│ └── lib.rs # Library entry point and implementation
├── tests/ # Integration tests
│ └── main.rs # Usage demonstration and testing
└── test.sh # Test execution script
History & Trivia
DKIM (DomainKeys Identified Mail) was formed in 2007 through the merger of two separate email authentication protocols: DomainKeys by Yahoo! and Identified Internet Mail (IIM) by Cisco. It became an IETF standard in 2011 (RFC 6376).
Ed25519, the algorithm used by this library, is a high-performance public-key signature system introduced in 2011 by Daniel J. Bernstein and his team. It is based on Curve25519 and offers significant security and performance advantages over older algorithms like RSA.
The intersection of these two technologies occurred with RFC 8463 in 2018, which officially added support for Ed25519 in DKIM signatures. This was a significant step forward, as Ed25519 keys are much shorter than RSA keys of equivalent strength, making them far easier to fit into DNS TXT records without hitting size limits.
About
This project is an open-source component of js0.site ⋅ Refactoring the Internet Plan.
We are redefining the development paradigm of the Internet in a componentized way. Welcome to follow us:
sk_dkim : 基于密钥的确定性 DKIM 密钥生成
目录
简介
sk_dkim 是一个 Rust 库,用于确定性地生成 DomainKeys Identified Mail (DKIM) 密钥和 DNS TXT 记录。无需为每个域名单独管理和存储私钥文件,只需使用一个主密钥种子 (Secret Key),结合域名和选择器 (Selector),即可实时派生出所需的 Ed25519 密钥。
这种方法极大地简化了密钥管理,特别是对于需要为大量域名提供 DKIM 签名的服务,彻底消除了对私钥状态存储的需求。
使用方法
在 Cargo.toml 中添加 sk_dkim:
[]
= { = "0.1.1", = ["pk"] }
注意:生成格式化的 TXT 记录字符串需要开启
pk特性。
演示代码
use Sk;
设计思路
sk_dkim 的核心理念是确定性。
- 初始化:
Sk结构体使用基础的主密钥种子进行初始化。该种子用于初始化一个BLAKE3哈希器。 - 派生:调用
dkim(selector, domain)时,克隆哈希器并利用selector和domain更新哈希状态。 - 密钥生成:最终的哈希摘要作为种子,用于生成 Ed25519 签名密钥。
- 输出:公钥部分经过 Base64 编码,并格式化为标准的 DKIM TXT 记录。
此流程确保只要主密钥种子保持不变,对于给定的域名,生成的 DKIM 密钥将始终一致。
API 参考
struct Sk
密钥生成的主要入口点。
-
Sk::new(sk: impl AsRef<[u8]>) -> Self使用提供的主密钥种子创建一个新的Sk实例。 -
Sk::dkim(&self, prefix: impl AsRef<str>, host: impl AsRef<str>) -> Dkim为指定的选择器 (prefix) 和域名 (host) 派生一个Dkim实例。
struct Dkim
表示生成的 DKIM 密钥对。
-
pub sk: ed25519_dalek::SigningKey底层的 Ed25519 签名密钥。 -
Dkim::txt(&self) -> String(需要pk特性) 返回格式化的 DKIM DNS TXT 记录字符串 (例如v=DKIM1;k=ed25519;p=...)。
技术栈
- Rust: 核心开发语言。
- ed25519-dalek: 高效且安全的 Ed25519 密钥生成与签名。
- blake3: 用于确定性密钥派生的加密哈希算法。
- base64: 用于 DNS 记录的公钥编码。
目录结构
.
├── Cargo.toml # 项目配置与依赖
├── readme/ # 文档目录
│ ├── en.md # 英文说明文档
│ └── zh.md # 中文说明文档
├── src/ # 源代码
│ └── lib.rs # 库入口与实现
├── tests/ # 集成测试
│ └── main.rs # 使用演示与测试
└── test.sh # 测试执行脚本
历史与趣闻
DKIM (DomainKeys Identified Mail) 诞生于 2007 年,由 Yahoo! 的 DomainKeys 和 Cisco 的 Identified Internet Mail (IIM) 两个独立的邮件认证协议合并而来。它于 2011 年正式成为 IETF 标准 (RFC 6376)。
本项目使用的 Ed25519 算法,是由 Daniel J. Bernstein 团队在 2011 年推出的高性能公钥签名系统。它基于 Curve25519,相比 RSA 等老旧算法,在安全性和性能上都有显著优势。
这两项技术的交汇点发生在 2018 年发布的 RFC 8463,该标准正式将 Ed25519 引入 DKIM 签名。这是一个重要的里程碑,因为 Ed25519 密钥比同等强度的 RSA 密钥短得多,这使得它们更容易放入 DNS TXT 记录中,而不会触及长度限制。
关于
本项目为 js0.site ⋅ 重构互联网计划 的开源组件。
我们正在以组件化的方式重新定义互联网的开发范式,欢迎关注: