✨(dkim) add an optional DKIM verification just before sending emails (#434)

sylvinus · web-flow · commit 85a858532329 · 2025-11-23T17:09:46.000+01:00
This will catch the case where people try to send email before having
correctly configured their DNS, and would also avoid unwanted sends
of messages not supposed to go out.
diff --git a/src/backend/core/mda/outbound.py b/src/backend/core/mda/outbound.py
@@ -21,7 +21,7 @@
     create_reply_message,
     parse_email_message,
 )
-from core.mda.signing import sign_message_dkim
+from core.mda.signing import sign_message_dkim, verify_message_dkim
 from core.mda.smtp import send_smtp_mail
 
 logger = logging.getLogger(__name__)
@@ -424,6 +424,28 @@ def _mark_delivered(
                 external_recipients.add(recipient_email)
 
         if external_recipients:
+            # Verify DKIM signature if enabled (only for external recipients)
+            if settings.MESSAGES_DKIM_VERIFY_OUTGOING:
+                sender_domain = message.sender.mailbox.domain
+
+                if not verify_message_dkim(blob_content):
+                    error_msg = (
+                        f"DKIM verification failed for domain {sender_domain.name}"
+                    )
+                    logger.warning(
+                        "DKIM verification failed for message %s (domain: %s), marking recipients for retry",
+                        message.id,
+                        sender_domain.name,
+                    )
+                    for recipient_email in external_recipients:
+                        _mark_delivered(recipient_email, False, False, error_msg, True)
+                    return
+                logger.info(
+                    "DKIM verification successful for message %s (domain: %s)",
+                    message.id,
+                    sender_domain.name,
+                )
+
             try:
                 statuses = send_outbound_message(
                     external_recipients, message, blob_content
diff --git a/src/backend/core/mda/signing.py b/src/backend/core/mda/signing.py
@@ -1,12 +1,14 @@
-"""Handles DKIM signing of email messages."""
+"""Handles DKIM signing and verification of email messages."""
 
 import base64
 import logging
 from typing import Optional
 
+import dns.resolver
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from dkim import sign as dkim_sign
+from dkim import verify as dkim_verify
 
 from core.enums import DKIMAlgorithmChoices
 
@@ -113,3 +115,60 @@ def sign_message_dkim(raw_mime_message: bytes, maildomain) -> Optional[bytes]:
     except Exception as e:  # pylint: disable=broad-exception-caught
         logger.error("Error during DKIM signing for domain %s: %s", domain, e)
         return None
+
+
+def verify_message_dkim(raw_mime_message: bytes) -> bool:
+    """Verify a DKIM signature on a raw MIME message using public DNS.
+
+    This verifies that the DKIM signature will pass validation when the receiving
+    server checks it via DNS, ensuring the signature is valid and the DNS records
+    are correctly configured.
+
+    Args:
+        raw_mime_message: The raw bytes of the MIME message with DKIM signature.
+
+    Returns:
+        True if the DKIM signature is valid, False otherwise.
+    """
+    try:
+        # Create a DNS function that performs actual DNS lookups
+        def get_dns_txt(fqdn, **kwargs):
+            # Convert FQDN to string if it's bytes
+            fqdn_str = fqdn.decode("ascii") if isinstance(fqdn, bytes) else fqdn
+            # Remove trailing dot if present
+            if fqdn_str.endswith("."):
+                fqdn_str = fqdn_str[:-1]
+
+            try:
+                # Query DNS for TXT records
+                answers = dns.resolver.resolve(fqdn_str, "TXT", lifetime=10)
+                # Combine all TXT record strings (TXT records can be split across multiple strings)
+                txt_values = []
+                for answer in answers:
+                    # answer.strings is a list of bytes, join them
+                    txt_value = b"".join(answer.strings)
+                    txt_values.append(txt_value)
+
+                # Return the first TXT record value (DKIM should only have one)
+                if txt_values:
+                    return txt_values[0]
+            except (
+                dns.resolver.NXDOMAIN,
+                dns.resolver.NoAnswer,
+                dns.resolver.NoNameservers,
+            ):
+                # Domain or record doesn't exist
+                logger.warning("DNS lookup error for %s", fqdn_str)
+                return None
+            except dns.resolver.Timeout:
+                logger.warning("DNS timeout while looking up DKIM record: %s", fqdn_str)
+                return None
+
+            return None
+
+        # Verify the DKIM signature using public DNS
+        return dkim_verify(raw_mime_message, dnsfunc=get_dns_txt)
+
+    except Exception as e:  # pylint: disable=broad-exception-caught
+        logger.error("Error during DKIM verification: %s", e, exc_info=True)
+        return False
diff --git a/src/backend/core/tests/mda/test_outbound.py b/src/backend/core/tests/mda/test_outbound.py
@@ -1,5 +1,5 @@
 """Tests for the core.mda.outbound module."""
-# pylint: disable=unused-argument
+# pylint: disable=unused-argument,too-many-lines
 
 import threading
 import time
@@ -13,6 +13,7 @@
 
 from core import enums, factories, models
 from core.mda import outbound
+from core.mda.signing import generate_dkim_key, sign_message_dkim
 
 SCHEMA_CUSTOM_ATTRIBUTES = {
     "$schema": "https://json-schema.org/draft/2020-12/schema",
@@ -827,3 +828,224 @@ def test_prepare_outbound_message_with_only_signature(
             "Best regards,<br>John Doe<br>Software Engineer<br>Engineering</p>"
             in content
         )
+
+
+@pytest.mark.django_db
+class TestSendMessageDKIMVerification:
+    """Test DKIM verification in send_message."""
+
+    @override_settings(MESSAGES_DKIM_VERIFY_OUTGOING=True)
+    @patch("core.mda.signing.dns.resolver.resolve")
+    @patch("core.mda.outbound.send_outbound_message")
+    def test_dkim_verification_success(
+        self, mock_send_outbound, mock_dns_resolve, mailbox_sender
+    ):
+        """Test that DKIM verification succeeds and message is sent."""
+        # Create a message with external recipient
+        thread = factories.ThreadFactory()
+        factories.ThreadAccessFactory(
+            mailbox=mailbox_sender,
+            thread=thread,
+            role=enums.ThreadAccessRoleChoices.EDITOR,
+        )
+        sender_contact = factories.ContactFactory(mailbox=mailbox_sender)
+        message = factories.MessageFactory(
+            thread=thread,
+            sender=sender_contact,
+            is_draft=False,
+            is_sender=True,
+            subject="Test DKIM",
+        )
+
+        private_key, public_key = generate_dkim_key(key_size=1024)
+        dkim_key = models.DKIMKey.objects.create(
+            selector="testselector",
+            private_key=private_key,
+            public_key=public_key,
+            key_size=1024,
+            is_active=True,
+            domain=mailbox_sender.domain,
+        )
+
+        # Prepare and sign the message
+        domain_name = mailbox_sender.domain.name
+        raw_mime = f"From: test@{domain_name}\r\nTo: external@other.com\r\nSubject: Test\r\n\r\nBody\r\n".encode()
+        signature_header = sign_message_dkim(raw_mime, mailbox_sender.domain)
+        signed_mime = signature_header + b"\r\n" + raw_mime
+
+        # Create blob with signed message
+        blob = mailbox_sender.create_blob(
+            content=signed_mime, content_type="message/rfc822"
+        )
+        message.blob = blob
+        message.save()
+
+        # Add external recipient
+        external_contact = factories.ContactFactory(
+            mailbox=mailbox_sender, email="external@other.com"
+        )
+        factories.MessageRecipientFactory(
+            message=message,
+            contact=external_contact,
+            type=models.MessageRecipientTypeChoices.TO,
+        )
+
+        # Mock DNS to return the DKIM public key
+        def mock_dns_resolve_func(query_name, record_type, **kwargs):
+            expected_fqdn = f"testselector._domainkey.{domain_name}"
+            if record_type == "TXT" and query_name == expected_fqdn:
+                mock_answer = MagicMock()
+                mock_answer.strings = [
+                    f"v=DKIM1; k=rsa; p={dkim_key.public_key}".encode()
+                ]
+                return [mock_answer]
+            raise dns.resolver.NoAnswer()
+
+        mock_dns_resolve.side_effect = mock_dns_resolve_func
+
+        # Mock successful send
+        mock_send_outbound.return_value = {"external@other.com": {"delivered": True}}
+
+        # Send the message
+        outbound.send_message(message)
+
+        # Verify DNS was queried for DKIM record
+        assert mock_dns_resolve.called
+
+        # Verify message was sent (not marked for retry)
+        message.refresh_from_db()
+        recipient = message.recipients.first()
+        assert recipient.delivery_status == enums.MessageDeliveryStatusChoices.SENT
+        assert mock_send_outbound.called
+
+    @override_settings(MESSAGES_DKIM_VERIFY_OUTGOING=True)
+    @patch("core.mda.signing.dns.resolver.resolve")
+    @patch("core.mda.outbound.send_outbound_message")
+    def test_dkim_verification_failure_marks_for_retry(
+        self, mock_send_outbound, mock_dns_resolve, mailbox_sender
+    ):
+        """Test that DKIM verification failure marks recipients for retry."""
+        # Create a message with external recipient
+        thread = factories.ThreadFactory()
+        factories.ThreadAccessFactory(
+            mailbox=mailbox_sender,
+            thread=thread,
+            role=enums.ThreadAccessRoleChoices.EDITOR,
+        )
+        sender_contact = factories.ContactFactory(mailbox=mailbox_sender)
+        message = factories.MessageFactory(
+            thread=thread,
+            sender=sender_contact,
+            is_draft=False,
+            is_sender=True,
+            subject="Test DKIM",
+        )
+
+        private_key, public_key = generate_dkim_key(key_size=1024)
+        _dkim_key = models.DKIMKey.objects.create(
+            selector="testselector",
+            private_key=private_key,
+            public_key=public_key,
+            key_size=1024,
+            is_active=True,
+            domain=mailbox_sender.domain,
+        )
+
+        # Prepare and sign the message
+        domain_name = mailbox_sender.domain.name
+        raw_mime = f"From: test@{domain_name}\r\nTo: external@other.com\r\nSubject: Test\r\n\r\nBody\r\n".encode()
+        signature_header = sign_message_dkim(raw_mime, mailbox_sender.domain)
+        signed_mime = signature_header + b"\r\n" + raw_mime
+
+        # Create blob with signed message
+        blob = mailbox_sender.create_blob(
+            content=signed_mime, content_type="message/rfc822"
+        )
+        message.blob = blob
+        message.save()
+
+        # Add external recipient
+        external_contact = factories.ContactFactory(
+            mailbox=mailbox_sender, email="external@other.com"
+        )
+        recipient = factories.MessageRecipientFactory(
+            message=message,
+            contact=external_contact,
+            type=models.MessageRecipientTypeChoices.TO,
+        )
+
+        # Mock DNS to fail (no DKIM record found)
+        mock_dns_resolve.side_effect = dns.resolver.NoAnswer()
+
+        # Send the message
+        outbound.send_message(message)
+
+        # Verify DNS was queried
+        assert mock_dns_resolve.called
+
+        # Verify message was NOT sent
+        assert not mock_send_outbound.called
+
+        # Verify recipient was marked for retry
+        recipient.refresh_from_db()
+        assert recipient.delivery_status == enums.MessageDeliveryStatusChoices.RETRY
+        assert recipient.retry_at is not None
+        assert "DKIM verification failed" in recipient.delivery_message
+
+    @override_settings(MESSAGES_DKIM_VERIFY_OUTGOING=True)
+    @patch("core.mda.signing.dns.resolver.resolve")
+    @patch("core.mda.outbound.deliver_inbound_message")
+    def test_dkim_verification_skipped_for_internal_recipients(
+        self, mock_deliver_inbound, mock_dns_resolve, mailbox_sender
+    ):
+        """Test that DKIM verification is skipped for internal recipients."""
+        # Create a message with internal recipient
+        thread = factories.ThreadFactory()
+        factories.ThreadAccessFactory(
+            mailbox=mailbox_sender,
+            thread=thread,
+            role=enums.ThreadAccessRoleChoices.EDITOR,
+        )
+        sender_contact = factories.ContactFactory(mailbox=mailbox_sender)
+        message = factories.MessageFactory(
+            thread=thread,
+            sender=sender_contact,
+            is_draft=False,
+            is_sender=True,
+            subject="Test DKIM",
+        )
+
+        # Create blob with message
+        domain_name = mailbox_sender.domain.name
+        raw_mime = f"From: test@{domain_name}\r\nTo: internal@{domain_name}\r\nSubject: Test\r\n\r\nBody\r\n".encode()
+        blob = mailbox_sender.create_blob(
+            content=raw_mime, content_type="message/rfc822"
+        )
+        message.blob = blob
+        message.save()
+
+        # Add internal recipient (same domain)
+        # Create mailbox with matching local_part
+        internal_mailbox = factories.MailboxFactory(
+            domain=mailbox_sender.domain, local_part="internal"
+        )
+        internal_contact = factories.ContactFactory(
+            mailbox=internal_mailbox, email=f"internal@{domain_name}"
+        )
+        factories.MessageRecipientFactory(
+            message=message,
+            contact=internal_contact,
+            type=models.MessageRecipientTypeChoices.TO,
+        )
+
+        # Mock internal delivery
+        mock_deliver_inbound.return_value = True
+
+        # Send the message
+        outbound.send_message(message)
+
+        # Verify DNS was NOT queried (DKIM verification skipped for internal)
+        assert not mock_dns_resolve.called
+
+        # Verify internal delivery was attempted
+        assert mock_deliver_inbound.called
diff --git a/src/backend/messages/settings.py b/src/backend/messages/settings.py
@@ -331,6 +331,13 @@ class Base(Configuration):
         "stmessages", environ_name="MESSAGES_DKIM_DEFAULT_SELECTOR", environ_prefix=None
     )
 
+    # DKIM verification settings
+    MESSAGES_DKIM_VERIFY_OUTGOING = values.BooleanValue(
+        default=False,
+        environ_name="MESSAGES_DKIM_VERIFY_OUTGOING",
+        environ_prefix=None,
+    )
+
     # Technical domain for DNS records (MX, SPF, DKIM hosting)
     MESSAGES_TECHNICAL_DOMAIN = values.Value(
         "localhost", environ_name="MESSAGES_TECHNICAL_DOMAIN", environ_prefix=None
