Just quick fix I wrote wrong instructions s=* means for all services. You have to edit /etc/opendkim.conf Subdomains Yes
And /etc/opendkim/SigningTable example.com default._domainkey.example.com .example.com default._domainkey.example.com Anvar Kuchkartaev an...@anvartay.com Original Message From: Anvar Kuchkartaev Sent: miércoles, 13 de diciembre de 2017 09:02 To: Kent; Postfix users Subject: Re: DKIM signing for wildcard sub domains In your case you are using selector with the name default. If you use opendkim-genkey -s mx0 then it will generate key for mx0 selector (you must update dns records accordingly instead of default._domainkey.school.kiwi mx0._domainkey.school.kiwi and for mx1 generate with selector mx1 and dns record mx1._domainkey.school.kiwi) If you want to create one key which will be copied accross servers and applied for subdomains use --subdomains option to generate key for subdomains and in dns record use also s=* Dns record in my case: Question section: ---------------------------- mx1._domainkey.aegisnet.eu TXT Answer section: ---------------------------- mx1._domainkey.aegisnet.eu. 21599 IN TXT "v=DKIM1; k=rsa; s=*; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspG5C7Cb9NipLjFCOdlPWqMybUqqAqnbbts4txUgFJ6XyyDQ58FKNKQmgKP7+/UHaYdPEEyrVJ34SUhg5gx+UWljm/ERROmPA7yDjzX2XZQDhaX1Rl+yZpLc9t1VrAhNHvvmdwiD0KZ3pJXVDYrYZp5NerINpq460Ra4GxUcmIeun" "Vy2eAlfVk2LA7keNlf4UU+Sw3z66A0Yr+JgAf3/YRTDgPFM5vHYL3IHmiz9+ZH+GnGG+xTjm24k0SOr1mqtjkwORNtYg1aub5JmTtc7GaqH6w6cyBVmUylFx3TWL8MlqlxBKkrlQnPG/O7Z1kgUzoS8zx447p0/N1JyyS24rwIDAQAB" Authority section: ---------------------------- Additional section: ---------------------------- Anvar Kuchkartaev an...@anvartay.com Original Message From: Kent Sent: miércoles, 13 de diciembre de 2017 08:40 To: Postfix users Cc: Anvar Kuchkartaev Subject: Re: DKIM signing for wildcard sub domains Hi Anvar, > Yes and also it is recommended to setup different selector for each server > and different key per server. I'm not sure I fully understand what you are saying. So I should have created a separate 'default.private' for each server ? How would this work on my DNS server - would they have to have unique identifiers so that the TXT record on the mail server could be added for both servers as well ? I don't want to create a separate DKIM for each sub domain - there are potentially 100's for all our clients. I want a DKIM for the top level 'school.kiwi' domain which is then used for each of the sub domains. Is this possible ? Kent. > On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote: > > Yes and also it is recommended to setup different selector for each server > and different key per server. > > You can test DKIM signature using this website: > http://dkimvalidator.com/ > > Anvar Kuchkartaev > an...@anvartay.com