[Rspamd-Users] Questions to DKIM signing

P.V.Anthony anthony at mindmedia.com.sg
Mon Jun 3 15:36:05 UTC 2019

On 3/6/19 10:12 PM, Markus Neubauer via Users wrote:

> Is there a short path to follow to setup dkim signing for the other
> domains, where the From: gives the dependant domain.

If you got the dkim working for your domain, that method should work for 
the rest correct?

Anyway here is what I did. Please check with the rest in the group first 
as I am not an expert. Really please check with the rest in the group.


1. Create the keys.
rspamadm dkim_keygen -s 'default' -d domain.com

2. Put the key in a file

3. Update the domain dns with the public key

4. The config in /etc/rspamd/local.d/dkim_signing.conf

# If false, messages with empty envelope from are not signed
allow_envfrom_empty = false;

# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = false;

# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;

# If true, username does not need to contain matching domain
allow_username_mismatch = false;

# If false, messages from authenticated users are not selected for signing
auth_only = true;

# Default path to key, can include '$domain' and '$selector' variables
path = "/var/lib/rspamd/dkim/$domain.$selector.key";

# Default selector to use
selector = "default";

# If false, messages from local networks are not selected for signing
sign_local = true;

# Map file of IP addresses/subnets to consider for signing
# sign_networks = "/some/file"; # or url

# Symbol to add when message is signed
symbol = "DKIM_SIGNED";

# Whether to fallback to global config
try_fallback = true;

# Domain to use for DKIM signing: can be "header" (MIME From), 
"envelope" (SMTP From) or "auth" (SMTP username)
use_domain = "auth";

# Domain to use for DKIM signing when sender is in sign_networks 
#use_domain_sign_networks = "auth";

# Domain to use for DKIM signing when sender is a local IP 
#use_domain_sign_local = "header";

# Whether to normalise domains to eSLD
use_esld = false;

# Whether to get keys from Redis
use_redis = false;

# Hash for DKIM keys in Redis
key_prefix = "DKIM_KEYS";

# map of domains -> names of selectors (since rspamd 1.5.3)
#selector_map = "/etc/rspamd/dkim_selectors.map";

# map of domains -> paths to keys (since rspamd 1.5.3)
#path_map = "/etc/rspamd/dkim_paths.map";

# If `true` get pubkey from DNS record and check if it matches private key
check_pubkey = true;
# Set to `false` if you want to skip signing if publick and private keys 
allow_pubkey_mismatch = false;

More information about the Users mailing list