PhoenixDKIM was born from OpenDKIM in early 2026, when no work was yet done on their develop branch (they have since picked up the ball after 8 years - go check it out).
I wanted to keep using OpenDKIM, a standalone DKIM milter, but didn't feel comfortable with it being not maintained in an age of AI, where everyone can go dig up bugs and vulnerabilities for free on any open source project.
For that reason I decided to fork OpenDKIM, cut away anything that seemed no longer useful, bring the project up to date, and bring in new features (or replace old features).
As a result, PhoenixDKIM:
- can sign and verify Ed25519, as well as RSA
- has been rewritten to use OpenSSL 3 (and italso works with OpenSSL4)
- as well as LibreSSL
- uses LMDB as a backend instead of DBD
- can use Redis
- can use http/https backend, e.g. for Hashicorp Vaults, but also to connect to your SQL database
- is DNSSEC aware and will report several DNSSEC statuses
- provides metrics for Prometheus and StatsD
- produces reproducible builds
- PhoenixDKIM has kept the OpenDKIM keytable and signingtable layout.
- PhoenixDKIM has gained the Rspamd vault layout.
and much more
- PhoenixDKIM install its own binaries and has its own directories - it can live happily besides an OpenDKIM configuration and won't mess it up!
As a result, if you come from either one, testing PhoenixDKIM shouldn't be too hard to configure.
PhoenixDKIM has been tested with many hardening flags, strict-C flags, sanitizers, ASAN, UBSAN, LSAN, and I have run the whole code base through AI myself to look for issues.
Though still in beta, because I would prefer more testing before releasing a proper release version, PhoenixDKIM is already running in the wild on a small scale.
Feedback is welcome via github (edmundlod/PhoenixDKIM) or email if you prefer.
PhoenixDKIM was born from OpenDKIM in early 2026, when no work was yet done on their develop branch (they have since picked up the ball after 8 years - go check it out).
I wanted to keep using OpenDKIM, a standalone DKIM milter, but didn't feel comfortable with it being not maintained in an age of AI, where everyone can go dig up bugs and vulnerabilities for free on any open source project.
For that reason I decided to fork OpenDKIM, cut away anything that seemed no longer useful, bring the project up to date, and bring in new features (or replace old features).
As a result, PhoenixDKIM: - can sign and verify Ed25519, as well as RSA - has been rewritten to use OpenSSL 3 (and italso works with OpenSSL4) - as well as LibreSSL - uses LMDB as a backend instead of DBD - can use Redis - can use http/https backend, e.g. for Hashicorp Vaults, but also to connect to your SQL database - is DNSSEC aware and will report several DNSSEC statuses - provides metrics for Prometheus and StatsD - produces reproducible builds - PhoenixDKIM has kept the OpenDKIM keytable and signingtable layout. - PhoenixDKIM has gained the Rspamd vault layout. and much more - PhoenixDKIM install its own binaries and has its own directories - it can live happily besides an OpenDKIM configuration and won't mess it up!
As a result, if you come from either one, testing PhoenixDKIM shouldn't be too hard to configure.
Of course, first have a look at the [Removed Features](https://www.phoenixdkim.org/removed-features.html) page, to see what's missing from OpenDKIM.
And then have a look at the [Coming From..](https://www.phoenixdkim.org/coming-from.html) page, which covers some ground in case you come from OpenDKIM or Rspamd.
If you're starting from scratch, check out the [Quick Start](https://www.phoenixdkim.org/quickstart.html) page.
PhoenixDKIM has been tested with many hardening flags, strict-C flags, sanitizers, ASAN, UBSAN, LSAN, and I have run the whole code base through AI myself to look for issues.
Though still in beta, because I would prefer more testing before releasing a proper release version, PhoenixDKIM is already running in the wild on a small scale.
Feedback is welcome via github (edmundlod/PhoenixDKIM) or email if you prefer.
Thanks a ton!