[Rspamd-Users] Also a DKIM signing Question

G.W. Haywood rspamd at jubileegroup.co.uk
Fri Feb 9 18:01:56 UTC 2024 

Hi there,

I've made some assumptions below, please forgive me if they're wrong.
Please also forgive me my opinions. :)

On Fri, 9 Feb 2024, christian via Users wrote:

> do you know the following service:
> https://www.learndmarc.com/
> ...

I find I get more from reading something like

https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

and maybe then something like

https://datatracker.ietf.org/doc/html/rfc6376

> I have a maindomain that runs Postfix and RspamD and is registered as an MX 
> server in DNS. 100 domains send their emails via this domain.

The precise meaning of "send their emails via this domain" isn't clear
to me.  Can you elaborate?  Please use the real names, not substitutes.

> user1 at domainA.com sends via maindomain.com
> user2 at domainB.com sends via maindomain.com
> user3 at domainC.com sends via maindomain.com
> etc.
>
> That works, but I can't get a working Dkim signature for the emails from user 
> 3 at domainC.com, i.e. all non-masterdomain email addresses.

You can only sign with a DKIM "Signing Domain Identifier" (SDID) which
you control, because you need to be able to put things like the public
keys in the DNS spaces of those domains.  That's kinda the whole point.

If domain[ABC].com are your customers' domains, presumably you don't
own or control them and you can't claim to have signed things for them.

They really ought to be able to sign mail for themselves, and then, if
you relay their mail for them, you'd just be relaying their signatures
along with any other headers in their mail.

> Do I have to enter a DNS entry and a server certificate for each domain ...

If you want to sign their mail on behalf of their domains then that is
as you point out going to involve you in some work, and responsibility.
For example you're going to have to be the custodian of their private
keys, and they're presumably going to look to you for the safe storage
and use of said private keys.  There's no way on Earth I'd trust *any*
third party with my private keys, it would be just asking for trouble.
They can't all use the *same* keys, because if they did they'd each be
able to sign mail on behalf of all the others and that could get ugly.

If I understand what you mean by 'the server certificate' then that
has nothing to do with DKIM.  The server's certificate is used when it
connects to some other server in order to verify that it is what it
claims to be (using mechanisms involving a trusted third party, which
are completely different from those used in DKIM).  All the receiving
server knows from the sending server's certificate is that it is what
it says it is - it gives no information about any mail messages (nor
anything else) which might subsequently pass between them.

But yes, each domain will normally need DNS entries for DKIM and yes,
it could be a bit of work.  If you are in fact going to perform this
function for a hundred domains then you'll probably want to have some
tooling to make it manageable.  At a guess you'd charge for it too.

You can sign messages using maindomain.com as the signing 'd=' domain
and, although this gives a recipient no information about whether or
not the server sending mail from user[123]@domain[ABC] is *entitled*
to send such mail, it does give some information about maindomain.com,
and the maindomain.com administrators can be held to account in case
there's some issue.  They can't deny they signed it - only they could,
unless they gave away their private keys (in itself a serious issue).

Being able to hold people to account is what started all this, so you
get a long way towards the objective with just that.  All that really
matters is that the signature is created by the entity which claims to
have created it and that it can be verified.

Within limits, signing things also means that if they were changed
after signing then the fact that they were changed can be detected by
a recipient by reading the signature, fetching from the DNS those
records which are needed to verify it, and doing the calculations.
That's a bonus, but although I have seen stories about it I have to
admit I've never personally seen it used for real.  When a signature
has failed verification it's always been either because something like
a mailing list screwed things up, or the signing was done wrongly in
the first place, or esle nobody cared and everyone just ignored it.
The limits that I mentioned mean that it's not always quite as simple
as it might first appear anyway.  Most of the time the real reason for
signing is just to get the mail delivered - and that isn't necessarily
what it's all about. :(

>...
> Is RspamD's dkim_signing designed for this?
> ...

I'm sorry, I don't use rspamd for signing mail and I'm not familiar
with the design criteria, but I'd expect it to be able to handle it.
Others here may be able to help you with that better than I can.

-- 

73,
Ged.

More information about the Users mailing list