DKIM Verifier is a security-critical email authentication extension. We take security vulnerabilities extremely seriously and follow responsible disclosure practices.
- Defense in Depth: Multi-layered security across authentication, analysis, and sanitization
- Privacy First: All analysis performed locally by default; no telemetry
- Fail Secure: Errors default to secure states (e.g., treat invalid signatures as failures)
- Least Privilege: Minimal permissions requested from Thunderbird
- Input Validation: All external inputs (email headers, DNS responses) rigorously validated
- Sandboxing: Dangerous content processed in isolated contexts
| Version | Supported | Thunderbird Versions |
|---|---|---|
| 7.x | β Yes (Current) | 128.0 - 145.* |
| 6.x | β Yes (Security fixes) | 115.0 - 145.* |
| < 6.0 | β No | EOL |
Recommendation: Always use the latest version for best security.
DO NOT open public GitHub issues for security vulnerabilities.
- Preferred: Email to security contact (see
.well-known/security.txt) - Alternative: Private vulnerability report via GitHub Security Advisories
- Description: Clear explanation of the vulnerability
- Impact: What can an attacker do? Who is affected?
- Reproduction: Step-by-step instructions to reproduce
- Proof of Concept: Code/config demonstrating the issue (if available)
- Suggested Fix: Optional, but appreciated
- Disclosure Timeline: Your expectations for fixing and disclosure
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Development: Depends on severity (see below)
- Public Disclosure: After patch released + 7-14 days
| Severity | Examples | Response Time |
|---|---|---|
| Critical | Remote code execution, email content exfiltration | 24-48 hours |
| High | Authentication bypass, signature forgery | 7 days |
| Medium | Information disclosure, DoS | 30 days |
| Low | UI confusion, non-security bugs | 90 days |
We currently do not offer a bug bounty program. However:
- Security researchers will be credited in release notes (with permission)
- Acknowledgments in SECURITY.md hall of fame
- Our eternal gratitude π
- DKIM Verification: RFC 6376 compliant, cryptographic signature validation
- SPF Verification: RFC 7208 compliant, sender authorization
- DMARC: Policy enforcement (existing module, enhanced in v7.0)
- BIMI: Brand indicator verification (planned v7.0)
- Phishing Detection: 25+ heuristics, brand impersonation detection
- Header Analysis: TLS downgrade detection, privacy leak identification
- DNSBL: 15+ spam/malware blacklist providers
- VirusTotal: URL/domain reputation checking (optional)
- Bayesian Filter: Adaptive spam classification
- Script Removal: Blocks JavaScript, VBScript, event handlers
- Form Neutralization: Prevents phishing credential harvesting
- Link Analysis: Detects homograph attacks, suspicious URLs
- Sandboxed Processing: Isolated email parsing and analysis
- DKIM Signing: Uses
tweetnacl-es6(Ed25519/RSA) - Key Storage: Secure DKIM key caching (optional)
- DNS Security: DNSSEC support via libunbound (optional)
- No Weak Crypto: No MD5, SHA-1, RC4, or export-grade ciphers
- Network Dependency: Email inherently requires network; cannot be truly offline
- Extension Permissions: Requires
messagesRead,storage,accountsReadfrom Thunderbird - DNS Trust: SPF/DKIM rely on DNS; DNSSEC recommended but optional
- Third-Party APIs: VirusTotal integration (optional) sends URLs to third party
- Rate Limiting: DNS lookups limited per RFC (max 10 for SPF)
- Timeout Protection: Analysis capped at 30 seconds
- Resource Limits: Prevents DoS via malicious email headers
- User Control: Optional features can be disabled in preferences
In Scope:
- β Malicious email content (scripts, phishing, malware links)
- β Forged email signatures (DKIM/SPF/DMARC bypass)
- β Privacy leaks (IP exposure, tracking)
- β Authentication bypass
- β Extension privilege escalation
Out of Scope:
- β Thunderbird core vulnerabilities (report to Mozilla)
- β Physical access attacks
- β Social engineering (outside email content)
- β Zero-day exploits in dependencies (reported upstream)
- Enable DNSSEC: Use libunbound resolver for DNS validation
- Enable All Checks: SPF, DKIM, DMARC, phishing detection, Bayesian filter
- Auto-Update: Keep extension updated for latest security fixes
- Review Rules: Audit custom security rules periodically
- Train Bayesian: Improve spam detection by training on real emails
- Disable VirusTotal if you don't want URLs sent externally
- Disable Favicons to prevent external image loads
- Review Telemetry: Extension includes zero telemetry by default
- Use libunbound with DNSSEC for authenticated DNS
- Enable strict DMARC policy enforcement
- Set quarantine mode for suspicious emails
- Regularly review security logs (if enabled)
We gratefully acknowledge security researchers who have responsibly disclosed vulnerabilities:
No entries yet - be the first!
- Last Audit: 2025-11-22 (v7.0 pre-release)
- Scope: Full codebase review, dependency analysis, threat modeling
- Findings: 0 critical, 0 high, 2 medium (addressed in v7.0)
- No formal external audits conducted yet
- Seeking: Security firms interested in pro-bono extension audits
- Static Analysis: ESLint with security rules
- Type Safety: TypeScript checking via JSDoc
- Dependency Scanning: Manual review (no automated tools for WebExtensions yet)
- Code Review: All changes reviewed by maintainer
- β RFC 6376 (DKIM): Full compliance
- β RFC 7208 (SPF): Full compliance (v7.0)
- π RFC 7489 (DMARC): Partial (enhanced in v7.0)
- π RFC 9116 (security.txt): Implemented (v7.0)
- β GDPR: No personal data collection
- β Zero Telemetry: No analytics or tracking
- β Local Processing: All analysis on-device
- π Type Safety: JSDoc + TypeScript checking
- π Memory Safety: JavaScript (GC managed)
- π Documentation: Complete (v7.0)
- π TPCF: Tri-Perimeter Contribution Framework (v7.0)
See .well-known/security.txt for current contact information (RFC 9116 compliant).
PGP Key: To be added
Last Updated: 2025-11-22 Version: 7.0.0 Maintained By: See MAINTAINERS.md