Security

We do all we can to keep PhoenixDKIM secure. As an Internet-facing daemon that processes mail directly from external networks, security is a primary concern for this project. Even so, it is possible that you may spot a weakness we have missed. If you do, please let us know so we can address it quickly.

Reporting security problems is known as vulnerability disclosure (also known as coordinated vulnerability disclosure and responsible disclosure).

This is not an invitation to scan and test our infrastructure for weaknesses — we are doing that ourselves. We are interested specifically in weaknesses in the PhoenixDKIM source code and the libraries it depends on.

How to report a problem

Other important points

What you do not need to report

Known issues

Some issues are already known to us and are being worked on, or have been assessed and accepted as risks. Duplicate reports of these will not result in any action. Our security contact is aware of them.

What we will do

security.txt

RFC 9116 defines a straightforward mechanism for organisations to publish their vulnerability disclosure policy and contact details in a machine-readable format. We follow this internet standard. Our security.txt file is available at https://www.phoenixdkim.org/.well-known/security.txt.