[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains

Vsevolod Stakhov vsevolod at rspamd.com
Tue Apr 9 08:11:23 UTC 2019 

Dismas,

On 09/04/2019 08:35, Dismas Axel (Thomas) via Users wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, April 9, 2019 1:47 PM, Carsten Rosenberg <cr at ncxs.de> wrote:
> 
>> Hi D.A.T,
>>
>> Could you please detail a bit, what you want to achieve? Please bring
>> examples and debug logs.
>>
>> Signing a mail for brand1.com using brand1.com also as signing domain is
>> not verifiable without a DNS entry. Also impossible in OpenDKIM ;)
>>
>> What is possible and what you maybe have done before is to sign
>> brand1.com using maincorp.com as signing domain.
>>
>> But you don't have asked about that. Maybe the feature is already
>> implemented.
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> Carsten
>>
> 
> 
> Hi Carsten and Vsevolod,
> 
> Thank you for your replies. Yes, please if you have time, please help.
> 
> Please allow me to summarize:
> 
> 
> The situation:
> 
> Let's say I have 3 domains:
> <pre>
> maincorp.com, brand1.com, brand2.com
> </pre>
> 
> I generated a DKIM Key for maincorp.com:
> 
> Added the generated key to the OpenDKIM KeyTable:
> 
> <pre>
> mail._domainkey.maincorp.com maincorp.com:mail:/etc/opendkim/keys/maincorp.com/mail.private
> </pre>
> 
> Added TXT Record for mail_.domainkey.maincorp.com for maincorp.com:
> 
> <pre>
> mail._domainkey.maincorp.com       IN      TXT     ( "v=DKIM1; k=rsa; "
>           "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiWKBgQKQlg6RRngSt6ctCrdSzWJekQttma0dpIuBY3O0wI1einS/NNp4uPJznkiLvJoqAT8LoSJzEM8EtzSGK5dowL9gEGkTM/SowRHRN97cdfxuWeq2Pjn+MMAjxrdaXoZuGWq5n2zFNcJv6tVOVnH6SbOSXu4BWr3Op1iexw2Ps8Ll7QIDAQAB" )  ; ----- DKIM key mail for maincorp.com
> </pre>
> 
> Then, on my SigningTable in /etc/opendkim, I added:
> 
> OpenDKIM SigningTable:
> 
> <pre>
> *@maincorp.com mail._domainkey.maincorp.com
> *@brand1.com mail._domainkey.maincorp.com
> *@brand2.com mail._domainkey.maincorp.com
> </pre>
> 
> Final Result:
> 
> All emails from @brand1.com and @brand2.com would also be signed with mail._domainkey.maincorp.com. When you check with gmail it will tell me that @brand1.com signed-by mailcorp.com and not brand1.com.
> 
> To achieve this, I gained flexibility to the facts that:
> 
> 1) I did not need to generate DKIM Keys for brand1.com and brand2.com.
> 2) I did not need to add a CNAME Record, e.g:
> <pre>
> mail._domainkey.brand1.com 	IN 	CNAME	mail._domainkey.maincorp.com
> </pre>
> 

Again: DKIM signing has *nothing* about DNS itself, but I see your point.

You can use static signing domain for all signatures but it will be tricky.

First, you need to set something like

use_domain_sign_local = "maincorp.com"; (or use_domain_sign_auth)

Then you need to ensure that a symbol is enabled merely for the domains
you'd like to sing (e.g. via users settings) and disable it for
everything else.

Probably, OpenDKIM style maps are better indeed. I will investigate
OpenDKIM configuration style and will probably add something similar to
simplify transition to Rspamd.

More information about the Users mailing list