[Rspamd-Users] Also a DKIM signing Question

Gerald Galster list+rspamd at gcore.biz
Fri Feb 9 17:29:25 UTC 2024


> My question:
> I have a maindomain that runs Postfix and RspamD and is registered as an MX server in DNS. 100 domains send their emails via this domain.

I'm not sure if I understood correctly, let's try this example:

Your domain is provider.com and all emails are received by mx1.provider.com.

In DNS speech: provider.com  IN MX 100 mx1.provider.com.

Then you have a few customers that use your mx1.provider.com for sending and receiving emails.

customer1.com IN MX 100 mx1.provider.com.
customer2.com IN MX 100 mx1.provider.com.
..

To enforce dmarc you would have to allow mx1.provider.com to send mails for customer1.com and customer2.com:

customer1.com IN TXT "v=spf1 mx ~all"
customer2.com IN TXT "v=spf1 mx ~all"

and/or DKIM sign mails for every customer domain:

selector._domainkey.customer1.com IN TXT "v=DKIM1..."
selector._domainkey.customer2.com IN TXT "v=DKIM1..."

Or to put it another way:
- with SPF you allow certain ips to send mails for certain domains
- with DKIM you permit correctly signed mails (ips do not matter)

Technically it would be possible to use the same DKIM-key for all customer*.com domains but that's not recommended.
It could be an enormous job to create an individual DKIM-key per domain, but if you're operating at scale it's time to automate.

Best regards,
Gerald


More information about the Users mailing list