Configure DKIM for host.domain.com email addresses

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
158
The default DNS zone host.domain.com that is added on install doesn't have the options out of the box to enable DKIM. Is there a right way to setup DKIM for it, or would it need to be deleted, and re-added as a host.domain.com domain so it can be configured?
 
  • Like
Reactions: Kal
Oh ok I thought something was wrong. You got it working.(y)
 
I was wondering the same thing @CanadaGuy. Having followed the DKIM install guide (New Method), and navigated to User Level > E-Mail Accounts (in order to enable DKIM), I got the error:
No Domains
There is no default domain; you should start with creating one first


I'm not sure what 'default domain' means in the context of administering host.domain.com. I'm also not sure why you say it's 'not a domain, just a DNS zone'. (It's both according to my understanding of DNS.)

But I suppose the only question I really need ask is, did you have success running ./dkim_create.sh host.domain.com? :)
 
I'm not sure what 'default domain' means in the context of administering host.domain.com. I'm also not sure why you say it's 'not a domain, just a DNS zone'. (It's both according to my understanding of DNS.)
Not quite. There is a difference between just a DNS record (a file in /var/named) or a default domain, which is a domain which has a DNS record but also exists in Directadmin.

But I suppose the only question I really need ask is, did you have success running ./dkim_create.sh host.domain.com?
Why would you want to create a DKIM record for your hostname?
If you read the help sections correctly, even the old method, you see it's all about domain.com and not host.domain.com.

Just remove the host.domain.com DNS entry, you don't need it. It's only made so DA can work on installation.

As for your issue. Do you have a domain as admin in userlevel? If not. Create one, that will be your default domain.
 
Not quite. There is a difference between just a DNS record (a file in /var/named) or a default domain, which is a domain which has a DNS record but also exists in Directadmin.

I just meant that it's both a domain and a zone as far as DNS is concerned. As for DirectAdmin terminology, I'll have to take your word for it—I'm new to DA and have much to learn.

Why would you want to create a DKIM record for your hostname?

I wasn't sure if I should. Then I found this thread and saw that someone else was trying to do the same thing.

Just remove the host.domain.com DNS entry, you don't need it. It's only made so DA can work on installation.

Delete the whole zone file for host.domain.com? And just give host an A record under domain.com? What's the benefit of doing it this way? I'm coming from a semi-managed VPS with cPanel/WHM, where the hostname always had its own zone file.

(Either way, I can't change it at the moment, because the main domain is still hosted on the old server. I just delegated the new hostname to the new server so I could install TLS certificates and access DirectAdmin securely.)
 
DKIM record for a hostname as well as a separate DNS zone for a hostname might be required. Directadmin will add a public DKIM key for a hostname only into /var/named/hostname.db file, i.e. DNS zone created for the hostname.

DirectAdmin still sends emails from root@hostname, admin@hostname, etc. So a DKIM record for hostname is good option to get a higher trust level when sending emails.

And as of now a DKIM for hostname can be created only using the old way, see the step #4

Code:
cd /usr/local/directadmin/scripts
./dkim_create.sh $(hostname -f)

Run the two commands without modifications, as they are shown. There is nothing to replace.
 
Directadmin will add a public DKIM key for a hostname only into /var/named/hostname.db file, i.e. DNS zone created for the hostname.
I always remove that record after creating the main domain for the server and create an A record for the hostname in that domain like:
server A 14400 domain.com (so the same as a www or ftp record is present).

When the hostname record is created, in the DNS overview it always says "no" under "local mail", so this let me think you can't do anything with this record for local mail. Hence I always deleted it.
Next to that, normally only root or da mails are send by hostname, correct?
So this confuses me a bit now. It's only good for security of mails send from root and maybe postmaster or something like that?
 
Users emails can also be sent from user@hostname: system emails, emails from cron, emails from PHP scripts, etc.

I'm not sure what a security of mails you mean. And what risks can occur when system emails are sent from root@, postmaster@ or admin@ ?
 
I'm not sure what a security of mails you mean.
I referred to the highter trust level.
Indeed I didn't thing of cron and php scripts. On our server all scripts send from @domain.com and not from hostname, but they can send from hostname indeed.

But I still wonder why mail is set to no in the DNS overview of the hostname record.

And what risks can occur when system emails are sent from root@, postmaster@ or admin@ ?
I wouldn't know, that's why I always remove that default DNS hostname record made by DA at installation time.
So if I needed this I have to remove the hostname A record (server) and create a hostname record agani? Wouldn't that create a local mail "yes" in the DNS overview? And if yes, why isn't that done on setup?
 
Yes EXACTLY.
Hostname is present in /etc/virtual/domains file, should be in there indeed.

Ooooh... wait... it says local data NO on setup... not local mail NO. Pffff... :cautious::rolleyes:😏
 
The "local data NO" means a domain does not belong to any user, and it is expected since a hostname should not be owned by anybody on a server, technically missing in /etc/virtual/domainowners

Another case, it can be seen for domains DNS zones of which are copied over Multiserver feature of DirectAdmin from another server, or DNS zones created without adding them to any user account.
 
@zEitEr, sorry to drag up this old thread again… I set this up as you suggested, but I'm getting the occasional DMARC report from Google that passes SPF but fails DKIM domain alignment, and they're all emails from the hostname. (I'm not even sure why mail from the hostname is going out to a gmail account in the first place, but that's another question.)

Any ideas how I can troubleshoot this? Any emails the server sends to me from [email protected] don't have DKIM signature headers (my mail is hosted on the same server) so I can't even check that the DKIM-specified domain is correct. And I'm not sure how to manually send out mail from the hostname to an external email account. (I tried using the mail command in the shell, but that doesn't add a DKIM signature header either.)
 
What do you have for you root aliases?

Code:
cat /etc/aliases

Look for root:
like
# You should also set up an alias for messages to root, because it is not
# usually a good idea to deliver mail as root.

root: [email protected]

Some people have a forward

Code:
cd /root
ls -al
see either
.email.txt
or
.forward

What is in either if you find them?
 
Back
Top