[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains

Dismas Axel (Thomas) dismasc at protonmail.com
Tue Apr 9 07:35:12 UTC 2019

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, April 9, 2019 1:47 PM, Carsten Rosenberg <cr at ncxs.de> wrote:

> Hi D.A.T,
> Could you please detail a bit, what you want to achieve? Please bring
> examples and debug logs.
> Signing a mail for brand1.com using brand1.com also as signing domain is
> not verifiable without a DNS entry. Also impossible in OpenDKIM ;)
> What is possible and what you maybe have done before is to sign
> brand1.com using maincorp.com as signing domain.
> But you don't have asked about that. Maybe the feature is already
> implemented.
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Carsten

Hi Carsten and Vsevolod,

Thank you for your replies. Yes, please if you have time, please help.

Please allow me to summarize:

The situation:

Let's say I have 3 domains:
maincorp.com, brand1.com, brand2.com

I generated a DKIM Key for maincorp.com:

Added the generated key to the OpenDKIM KeyTable:

mail._domainkey.maincorp.com maincorp.com:mail:/etc/opendkim/keys/maincorp.com/mail.private

Added TXT Record for mail_.domainkey.maincorp.com for maincorp.com:

mail._domainkey.maincorp.com       IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiWKBgQKQlg6RRngSt6ctCrdSzWJekQttma0dpIuBY3O0wI1einS/NNp4uPJznkiLvJoqAT8LoSJzEM8EtzSGK5dowL9gEGkTM/SowRHRN97cdfxuWeq2Pjn+MMAjxrdaXoZuGWq5n2zFNcJv6tVOVnH6SbOSXu4BWr3Op1iexw2Ps8Ll7QIDAQAB" )  ; ----- DKIM key mail for maincorp.com

Then, on my SigningTable in /etc/opendkim, I added:

OpenDKIM SigningTable:

*@maincorp.com mail._domainkey.maincorp.com
*@brand1.com mail._domainkey.maincorp.com
*@brand2.com mail._domainkey.maincorp.com

Final Result:

All emails from @brand1.com and @brand2.com would also be signed with mail._domainkey.maincorp.com. When you check with gmail it will tell me that @brand1.com signed-by mailcorp.com and not brand1.com.

To achieve this, I gained flexibility to the facts that:

1) I did not need to generate DKIM Keys for brand1.com and brand2.com.
2) I did not need to add a CNAME Record, e.g:
mail._domainkey.brand1.com 	IN 	CNAME	mail._domainkey.maincorp.com

It just simply works!

Now, my question is how to achieve this in RSPAMD DKIM Signing Module?

I tried using map, but the brand1.com I sent was not signed by mailcorp.com! No errors was produced, it is more a DKIM temperror.

Thank you,

More information about the Users mailing list