DKIM only on the host, not individual domains.

Manie

Verified User
Joined
Jul 18, 2006
Messages
124
Location
Utrecht / Netherlands
Hi all,

Does anyone know if it could make sense to only install DKIM on the hostname of the outgoing mailserver?
Since my mail is sent using:

Return-path: <user@vps1.myhostname.com>
Received: from user by vps1.myhostname.com with local (Exim 4.84)
(envelope-from <user @vps1.myhostname.com>)
id 1YekF9-0007kz-KO; Sun, 05 Apr 2015 15:05:39 +0200

( note the "user" and "myhostname.com" are spoofed for example purposes. )

The reason I ask is that I do not wish to copy/paste over 300 keys from DirectAdmin to my external nameservers.
But I wish all the domains hosted by my server to pass DKIM as much as possible.

If signing the outgoing vps1.myhostname.com (which is used for all e-mail domains in the From header) is enough.
That would be greatly preferable :)

Thanks for any of your insights.

Regards!
Armand
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
If all outgoing email have as "from" domain myhostname.com yes, if you host multiple domains, every domain need its own DKIM.

You may need to ask to your external nameserver manager how can you implement your directadmin server with them, maybe they got some API's you may work with and create a script to automatize the DNS-send process

Regards
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Hello,

Do not create DKIM keys for other domains, just create it for your hostname. That should work, as there is a check:

Code:
[root@server etc]# cat /etc/exim.dkim.conf#1.0
  dkim_domain = $sender_address_domain
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
  dkim_canon = relaxed
  dkim_strict = 0


from exim documentation:

dkim_private_key

MANDATORY: This sets the private key to use. You can use the $dkim_domain and $dkim_selector expansion variables to determine the private key to use. The result can either

  • be a valid RSA private key in ASCII armor, including line breaks.
  • start with a slash, in which case it is treated as a file that contains the private key.
  • be "0", "false" or the empty string, in which case the message will not be signed. This case will not result in an error, even if dkim_strict is set.
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html



So if DKIM key does not exist, an outgoing email won't be singed.

Note to keep dkim=0 in directadmin.conf
 

Manie

Verified User
Joined
Jul 18, 2006
Messages
124
Location
Utrecht / Netherlands
Hi Alex,

Thanks for your input.
Would you say the effect of DKIM the hostname is enough for larger amount of checks if the key does not exists in the actual "from" domainname?
Since if I analyse the FROM there is always a server hostname I manage in. + The domainname of the customer.

SeLLeRoNe also made me think about some way of exporting DA DKIM key's into my external DNS.

Regards,
Armand
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Armand,

No, I would not say that. DKIM should be enabled for every domain from name of which you send emails if you want to have all benefits of it.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Check and inspect the emails headers. It might be an email is sent from the server hostname due to address rewriting or anything of the kind.
 
Top