Thank you so much Marc! for the clear explanations. You are right. Now everything makes sense.
And to answer my initial question about how to check to make sure domain1 is not signed by the new key, we can first create a amavis-test.conf, then use the following commands to check whether signing is correct with this conf: amavisd -c amavis_test.conf showkeys amavisd -c amavis_test.conf showkeys .org domain1 amavisd -c amavis_test.conf testkeys amavisd -c amavis_test.conf testkeys .org domain1
