Changing DKIM key

ericovk

Verified User
Joined
Apr 17, 2012
Messages
229
Location
Rotterdam, Netherlands
Hi,

Is it possible to change the DKIM key record? So that it becomes something different that x._domainkey ?
I changed the key manually in the DNS records (of both external DNS settings and in the DA account), but that doens't seem to work.

I'd like to change it because my customer thinks the DKIM key could be abused. Is that true anyway?
 
Hello Eric,

The x in the part of x._domainkey is called DKIM selector. And yes it can be changed in /etc/exim.dkim.conf, to something else different x._domainkey => anything._domainkey. On Directadmin server it will effect all the domains, so you will need to update DNS for all domains. Are you sure you want it?

If you want to issue new private and public keys for one domain without changing the selector, do the following:

Code:
rm -f /etc/virtual/[B]domain.com[/B]/dkim.*.key
cd /usr/local/directadmin/scripts
./dkim_create.sh [B]domain.com[/B] && /usr/local/directadmin/dataskq d800 && /usr/local/directadmin/dataskq d800

replace domain.com with a real domain name.

If you remote nameservers you will need to copy public DKIM key to it.
 
Thanks Alex!
It seems like the DKIM key has a public and private key. Is it therefor more secure if I change the subdomain of the DKIM key, or doesn't this really matter for security reasons ?
 
The DKIM selector is a public part, and it can not influence the security.
 
My /etc/exim.dkim.conf looks like this:
Code:
#1.0
  dkim_domain = $sender_address_domain
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
  dkim_canon = relaxed
  dkim_strict = 0

I changed "x" in:
Code:
dkim_selector = x

Restarted exim, but no result. When running DA script to renew DKIM key, the selector remains x._domainkey?
 
Eric,

Why should it change? As already mentioned you will need to update DNS for all domains. And it should be done manually domain by domain or with a script. Directadmin does not change existing DNS zones whatever you will set DKIM selector to. Existing domains should be updated separately.

I did not find any setting in Directadmin (either in da configs or in da templates) where you can change DKIM selector to a custom value, so you will need to use API or post scripts in order to automate it and update DNS records for new domains.

I don't have a need in such a script, so you will need to write a script yourself or hire somebody for it (I'm available for this kind of a job).
 
Hi Alex,
One of my customers has set this as a requirement. I have restarted EXIM, removed the existing x._domainkey DKIM key and ran the script (as you wrote earlier) for this domain. But it is still generating the x._domainkey in stead of mycustom._domainkey.
 
Eric,

The
exim.dkim.conf config is only for exim. Directadmin does not care what you have in exim.dkim.conf. Directadmin uses its own settings, and dkim selector as it seems is hardcoded in Directadmin. So that's why I wrote you need a custom script for update a DNS zone.

Or file a feature request to Directadmin staff.
 
I've just found out:

Will be available with a new release of DA: https://www.directadmin.com/features.php?id=2085

Already in custombuild and pre-release version:

Code:
# /usr/local/directadmin/directadmin c | grep dkim
dkim=1
dkim_selector=x

# /usr/local/directadmin/directadmin o
Compiled on 'CentOS 6.0 64-Bit'
Compile time: Jan 30 2018 at 23:06:28
Compiled with IPv6
 
Can the selector be changed per domain?

Say I want to send mails from the same domain with different providers all using directadmin. I believe for each provider I'll need a seperate DKIM key. But I can not publish them over dns if they all have same selector.
 
Can the selector be changed per domain?
Not from within the GUI as far as I know.

But maybe this can bring some light.
 
Back
Top