Results 1 to 7 of 7

Thread: DKIM only on the host, not individual domains.

  1. #1
    Join Date
    Jul 2006
    Location
    Utrecht / Netherlands
    Posts
    124

    Question DKIM only on the host, not individual domains.

    Hi all,

    Does anyone know if it could make sense to only install DKIM on the hostname of the outgoing mailserver?
    Since my mail is sent using:

    Return-path: <user@vps1.myhostname.com>
    Received: from user by vps1.myhostname.com with local (Exim 4.84)
    (envelope-from <user @vps1.myhostname.com>)
    id 1YekF9-0007kz-KO; Sun, 05 Apr 2015 15:05:39 +0200

    ( note the "user" and "myhostname.com" are spoofed for example purposes. )

    The reason I ask is that I do not wish to copy/paste over 300 keys from DirectAdmin to my external nameservers.
    But I wish all the domains hosted by my server to pass DKIM as much as possible.

    If signing the outgoing vps1.myhostname.com (which is used for all e-mail domains in the From header) is enough.
    That would be greatly preferable

    Thanks for any of your insights.

    Regards!
    Armand

  2. #2
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    If all outgoing email have as "from" domain myhostname.com yes, if you host multiple domains, every domain need its own DKIM.

    You may need to ask to your external nameserver manager how can you implement your directadmin server with them, maybe they got some API's you may work with and create a script to automatize the DNS-send process

    Regards
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,563
    Hello,

    Do not create DKIM keys for other domains, just create it for your hostname. That should work, as there is a check:

    Code:
    [root@server etc]# cat /etc/exim.dkim.conf#1.0
      dkim_domain = $sender_address_domain
      dkim_selector = x
      dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
      dkim_canon = relaxed
      dkim_strict = 0


    from exim documentation:

    dkim_private_key

    MANDATORY: This sets the private key to use. You can use the $dkim_domain and $dkim_selector expansion variables to determine the private key to use. The result can either

    • be a valid RSA private key in ASCII armor, including line breaks.
    • start with a slash, in which case it is treated as a file that contains the private key.
    • be "0", "false" or the empty string, in which case the message will not be signed. This case will not result in an error, even if dkim_strict is set.
    http://www.exim.org/exim-html-curren...fied_mail.html



    So if DKIM key does not exist, an outgoing email won't be singed.

    Note to keep dkim=0 in directadmin.conf
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  4. #4
    Join Date
    Jul 2006
    Location
    Utrecht / Netherlands
    Posts
    124
    Hi Alex,

    Thanks for your input.
    Would you say the effect of DKIM the hostname is enough for larger amount of checks if the key does not exists in the actual "from" domainname?
    Since if I analyse the FROM there is always a server hostname I manage in. + The domainname of the customer.

    SeLLeRoNe also made me think about some way of exporting DA DKIM key's into my external DNS.

    Regards,
    Armand

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,563
    Armand,

    No, I would not say that. DKIM should be enabled for every domain from name of which you send emails if you want to have all benefits of it.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  6. #6
    Join Date
    Jul 2006
    Location
    Utrecht / Netherlands
    Posts
    124
    Thanks!
    i'll investigate

    Regards,
    Armand

  7. #7
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,563
    Check and inspect the emails headers. It might be an email is sent from the server hostname due to address rewriting or anything of the kind.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •