# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine
# parameters defined on the top level
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add
# parameters defined on the top level
#
# For specific modules or configuration you can also modify
# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults
# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults
#
# See https://rspamd.com/doc/tutorials/writing_rules.html for details


# To configure this module, please also check the following document:
# https://rspamd.com/doc/tutorials/scanning_outbound.html and
# https://rspamd.com/doc/modules/dkim_signing.html

# To enable this module define the following attributes:
# path = "/var/lib/rspamd/dkim/$domain.$selector.key";
# OR
# domain { ... }, if you use per-domain conf
# OR
# set `use_redis=true;` and define redis servers

dkim_signing {
  # If false, messages with empty envelope from are not signed
  allow_envfrom_empty = true;
  # If true, envelope/header domain mismatch is ignored
  allow_hdrfrom_mismatch = false;
  # If true, multiple from headers are allowed (but only first is used)
  allow_hdrfrom_multiple = false;
  # If true, username does not need to contain matching domain
  allow_username_mismatch = false;
  # If false, messages from authenticated users are not selected for signing
  auth_only = true;
  # Default path to key, can include '$domain' and '$selector' variables
  #path = "/var/lib/rspamd/dkim/$domain.$selector.key";
  # Default selector to use
  selector = "dkim";
  # If false, messages from local networks are not selected for signing
  sign_local = true;
  # Symbol to add when message is signed
  symbol = "DKIM_SIGNED";
  # Whether to fallback to global config
  try_fallback = true;
  # Domain to use for DKIM signing: can be "header" or "envelope"
  use_domain = "header";
  # Whether to normalise domains to eSLD
  use_esld = true;
  # Whether to get keys from Redis
  use_redis = false;
  # Hash for DKIM keys in Redis
  key_prefix = "DKIM_KEYS";

  # Domain specific settings
  #domain {
  #  example.com {
  #    selectors [
  #      { # Private key path
  #        path = "/var/lib/rspamd/dkim/example.key";
  #        # Selector
  #        selector = "ds";
  #      },
  #      { # multiple dkim signature
  #        path = "/var/lib/rspamd/dkim/eddsa.key";
  #        selector = "eddsa";
  #      }
  #    ]
  #  }
  #}



  .include(try=true,priority=5) "${DBDIR}/dynamic/dkim_signing.conf"
  .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/dkim_signing.conf"
  .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/dkim_signing.conf"
}