Yes and also it is recommended to setup different selector for each server and different key per server.
You can test DKIM signature using this website: http://dkimvalidator.com/ Anvar Kuchkartaev an...@anvartay.com Original Message From: Maarten Sent: miércoles, 13 de diciembre de 2017 08:14 To: Postfix users; owner-postfix-us...@postfix.org Subject: Re: DKIM signing for wildcard sub domains Think you are missing something like this in main.cf milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept http://www.postfix.org/postconf.5.html#smtpd_milters On 2017-12-13 03:10, Kent wrote: > Hi All, > > I'm trying to get DKIM signing working on our postfix mail server. > > We have a wildcard domain *.school.kiwi. We are providing a mail > service for our clients - who each have their own sub-domain eg. > abc.school.kiwi or cde.school.kiwi > > > I have two servers, both are identical setups running centOS and > Postfix 2. One is named mx01.school.kiwi and the other is named > mx02.school.kiwi > Note: When I created the 'default.private' - I did so on mx01 and > copied it to mx02 so they are the same. I assume this is the correct > approach ? > > > I've followed the instructions per this page: > https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ >> opendkim: OpenDKIM Filter v2.11.0 > > > > I've set up my KeyTable: >> default._dkim.school.kiwi >> school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private > > > > And my SigningTable: >> *school.kiwi default._dkim.school.kiwi >> .school.kiwi default._dkim.school.kiwi > > This is the current setup. I've tried different variations including > *@school.kiwi, *@*school.kiwi, *@.school.kiwi and *@*.school.kiwi > > > My TrustedHosts: >> 127.0.0.1 >> ::1 >> school.kiwi >> .school.kiwi > > > > And finally opendkim.conf itself with: >> # KeyFile /etc/opendkim/keys/default.private >> KeyTable /etc/opendkim/KeyTable >> SigningTable refile:/etc/opendkim/SigningTable >> ExternalIgnoreList refile:/etc/opendkim/TrustedHosts >> InternalHosts refile:/etc/opendkim/TrustedHosts > > > > This is what I see in the /var/lo/maillog when I send an e-mail to > my gmail account. > >> Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 >> from=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi> >> Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: >> message-id=<fndqjlkx4fdbrd6gt1eku...@school.kiwi> >> Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: >> from=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi>, size=4645, nrcpt=1 >> (queue active) >> Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection >> established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 >> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) >> Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: >> to=<abcdefghi...@gmail.com>, >> relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, >> delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK >> 1513130134 33si417943ply.308 - gsmtp) >> Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: >> message-id=<20171213015309.8a3d22084...@mx02.school.kiwi> >> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender >> delivery status notification: 8A3D22084427 >> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>, >> size=2632, nrcpt=1 (queue active) >> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed >> Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: >> to=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi>, relay=schoolkiwi, >> delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via >> schoolkiwi service) >> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed >> > > > > When I view a received e-mail, I can see the following line in the > message headers. > >> DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426 > > > > But not DKIM signature itself. I've obviously something, but not > sure what to look at next. > > > Any assistance appreciated to get this working with emails from > n...@anysubdomain.school.kiwi > > > thanks > > Kent.