Re: DKIM keys for specific domains + multiple domains

Tue, 26 Mar 2019 12:55:47 -0700 

A 26/03/2019 19:42, John Luk escrigué:


dkim_key('domain1.com', "dkim", "/var/lib/dkim/domain1.com.pem");
dkim_key('domain2.com', "dkim", "/var/lib/dkim/domain2.com.pem");
dkim_key('others.com', "dkim", "/var/lib/dkim/others.com.pem");
@dkim_signature_options_bysender_maps = ( {
"." => { d => "others.com", a => 'rsa-sha256', ttl => 10*24*3600 }, 
});

In my understanding the above would:

* sign domain1.com using that domain1.com key
* sign domain2.com using that domain2.com key

* sign domainX.com using that others.com key
* sign domainY.com using that others.com key

Is that true?
I don't think it is. The dkim_key entries only setup which keys are available, and then @dkim_signature_options_bysender_maps is what defines which signing domain to use depending on the sender address. Double-check the docs:
https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-sign (point 7).
In your case, you only have a catchall entry specifying that everything should be signed with under the others.com domain (and you only have one kay for that domain, so everything will be signed under d=others.com with the /var/lib/dkim/others.com.pem key). 

The correct setup would be:

dkim_key('domain1.com', "dkim", "/var/lib/dkim/domain1.com.pem");
dkim_key('domain2.com', "dkim", "/var/lib/dkim/domain2.com.pem");
dkim_key('others.com', "dkim", "/var/lib/dkim/others.com.pem");
@dkim_signature_options_bysender_maps = ( {
".domain1.com" => { d => "domain1.com", a => 'rsa-sha256', ttl => 10*24*3600 }, ".domain2.com" => { d => "domain2.com", a => 'rsa-sha256', ttl => 10*24*3600 }, 
    "."  => { d => "others.com", a => 'rsa-sha256', ttl => 10*24*3600 },
});

Comments:
- Notice that the signing domain doesn't need to be the same as the sender domain. For instance, gmail will sign all its outgoing mails under the gmail.com domain, even gmail for businesses with their own domain. In this example all emails except those of domain1.com and domain2.com would be signed under the others.com domain (not under their own).
- Like in other maps, ".domain1.com" (with the initial dot) matches both domain1.com domain and any of its subdomains, whereas "domain1.com" doesn't match subdomains.
- Of course you can adapt the extra parameters (a, ttl, whatever) to your liking.

Reply via email to