Re: DKIM signing for wildcard sub domains
Kent skrev den 2017-12-13 08:40: Is this possible ? no http://www.opendkim.org/opendkim-atpszone.8.html unless its atps signed imho your server hostnaame must be dkim signed then you can reuse keys to subdomain signing its complex setup, so join opendkim maillist asking specific to this
Re: DKIM signing for wildcard sub domains
Just quick fix I wrote wrong instructions s=* means for all services. You have to edit /etc/opendkim.conf Subdomains Yes And /etc/opendkim/SigningTable example.com default._domainkey.example.com .example.com default._domainkey.example.com Anvar Kuchkartaev an...@anvartay.com Original Message From: Anvar Kuchkartaev Sent: miércoles, 13 de diciembre de 2017 09:02 To: Kent; Postfix users Subject: Re: DKIM signing for wildcard sub domains In your case you are using selector with the name default. If you use opendkim-genkey -s mx0 then it will generate key for mx0 selector (you must update dns records accordingly instead of default._domainkey.school.kiwi mx0._domainkey.school.kiwi and for mx1 generate with selector mx1 and dns record mx1._domainkey.school.kiwi) If you want to create one key which will be copied accross servers and applied for subdomains use --subdomains option to generate key for subdomains and in dns record use also s=* Dns record in my case: Question section: mx1._domainkey.aegisnet.eu TXT Answer section: mx1._domainkey.aegisnet.eu. 21599 IN TXT "v=DKIM1; k=rsa; s=*; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspG5C7Cb9NipLjFCOdlPWqMybUqqAqnbbts4txUgFJ6XyyDQ58FKNKQmgKP7+/UHaYdPEEyrVJ34SUhg5gx+UWljm/ERROmPA7yDjzX2XZQDhaX1Rl+yZpLc9t1VrAhNHvvmdwiD0KZ3pJXVDYrYZp5NerINpq460Ra4GxUcmIeun" "Vy2eAlfVk2LA7keNlf4UU+Sw3z66A0Yr+JgAf3/YRTDgPFM5vHYL3IHmiz9+ZH+GnGG+xTjm24k0SOr1mqtjkwORNtYg1aub5JmTtc7GaqH6w6cyBVmUylFx3TWL8MlqlxBKkrlQnPG/O7Z1kgUzoS8zx447p0/N1JyyS24rwIDAQAB" Authority section: Additional section: Anvar Kuchkartaev an...@anvartay.com Original Message From: Kent Sent: miércoles, 13 de diciembre de 2017 08:40 To: Postfix users Cc: Anvar Kuchkartaev Subject: Re: DKIM signing for wildcard sub domains Hi Anvar, > Yes and also it is recommended to setup different selector for each server > and different key per server. I'm not sure I fully understand what you are saying. So I should have created a separate 'default.private' for each server ? How would this work on my DNS server - would they have to have unique identifiers so that the TXT record on the mail server could be added for both servers as well ? I don't want to create a separate DKIM for each sub domain - there are potentially 100's for all our clients. I want a DKIM for the top level 'school.kiwi' domain which is then used for each of the sub domains. Is this possible ? Kent. > On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote: > > Yes and also it is recommended to setup different selector for each server > and different key per server. > > You can test DKIM signature using this website: > http://dkimvalidator.com/ > > Anvar Kuchkartaev > an...@anvartay.com
Re: DKIM signing for wildcard sub domains
In your case you are using selector with the name default. If you use opendkim-genkey -s mx0 then it will generate key for mx0 selector (you must update dns records accordingly instead of default._domainkey.school.kiwi mx0._domainkey.school.kiwi and for mx1 generate with selector mx1 and dns record mx1._domainkey.school.kiwi) If you want to create one key which will be copied accross servers and applied for subdomains use --subdomains option to generate key for subdomains and in dns record use also s=* Dns record in my case: Question section: mx1._domainkey.aegisnet.eu TXT Answer section: mx1._domainkey.aegisnet.eu. 21599 IN TXT "v=DKIM1; k=rsa; s=*; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspG5C7Cb9NipLjFCOdlPWqMybUqqAqnbbts4txUgFJ6XyyDQ58FKNKQmgKP7+/UHaYdPEEyrVJ34SUhg5gx+UWljm/ERROmPA7yDjzX2XZQDhaX1Rl+yZpLc9t1VrAhNHvvmdwiD0KZ3pJXVDYrYZp5NerINpq460Ra4GxUcmIeun" "Vy2eAlfVk2LA7keNlf4UU+Sw3z66A0Yr+JgAf3/YRTDgPFM5vHYL3IHmiz9+ZH+GnGG+xTjm24k0SOr1mqtjkwORNtYg1aub5JmTtc7GaqH6w6cyBVmUylFx3TWL8MlqlxBKkrlQnPG/O7Z1kgUzoS8zx447p0/N1JyyS24rwIDAQAB" Authority section: Additional section: Anvar Kuchkartaev an...@anvartay.com Original Message From: Kent Sent: miércoles, 13 de diciembre de 2017 08:40 To: Postfix users Cc: Anvar Kuchkartaev Subject: Re: DKIM signing for wildcard sub domains Hi Anvar, > Yes and also it is recommended to setup different selector for each server > and different key per server. I'm not sure I fully understand what you are saying. So I should have created a separate 'default.private' for each server ? How would this work on my DNS server - would they have to have unique identifiers so that the TXT record on the mail server could be added for both servers as well ? I don't want to create a separate DKIM for each sub domain - there are potentially 100's for all our clients. I want a DKIM for the top level 'school.kiwi' domain which is then used for each of the sub domains. Is this possible ? Kent. > On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote: > > Yes and also it is recommended to setup different selector for each server > and different key per server. > > You can test DKIM signature using this website: > http://dkimvalidator.com/ > > Anvar Kuchkartaev > an...@anvartay.com
Re: DKIM signing for wildcard sub domains
Hi Anvar, > Yes and also it is recommended to setup different selector for each server > and different key per server. I'm not sure I fully understand what you are saying. So I should have created a separate 'default.private' for each server ? How would this work on my DNS server - would they have to have unique identifiers so that the TXT record on the mail server could be added for both servers as well ? I don't want to create a separate DKIM for each sub domain - there are potentially 100's for all our clients. I want a DKIM for the top level 'school.kiwi' domain which is then used for each of the sub domains. Is this possible ? Kent. > On 13/12/2017, at 8:23 PM, Anvar Kuchkartaevwrote: > > Yes and also it is recommended to setup different selector for each server > and different key per server. > > You can test DKIM signature using this website: > http://dkimvalidator.com/ > > Anvar Kuchkartaev > an...@anvartay.com
Re: DKIM signing for wildcard sub domains
So right now since it's set to only verify incoming mail signtures you are seeing the line "DKIM verification sucessful" You should see the signing happening in the logs: Dec 13 08:36:32 localhost opendkim[969]: ED6EDFB7: DKIM-Signature field added (s=default, d=feedmebits.nl) On 2017-12-13 08:36, Maarten wrote: Check /etc/opendkim.conf. And the line that Says Mode. You probably have it set like this: Mode v Change it to: Mode sv sign verify On 2017-12-13 08:32, Kent wrote: Hi Maarten, Apologies - I missed this when I was copying my setup. I already have these lines in my /etc/postfix.main.cf file. When an e-mail comes in, I'm seeing these lines in the maillog: Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: mail-lf0-f51.google.com [209.85.215.51] not internal Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification successful So I believe postfix is passing both incoming and outgoing mail via opendkim. It's just my setup isn't adding the 'DKIM' into the outgoing mail. Kent. On 13/12/2017, at 8:14 PM, Maartenwrote: Think you are missing something like this in main.cf milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept http://www.postfix.org/postconf.5.html#smtpd_milters
Re: DKIM signing for wildcard sub domains
Check /etc/opendkim.conf. And the line that Says Mode. You probably have it set like this: Mode v Change it to: Mode sv sign verify On 2017-12-13 08:32, Kent wrote: Hi Maarten, Apologies - I missed this when I was copying my setup. I already have these lines in my /etc/postfix.main.cf file. When an e-mail comes in, I'm seeing these lines in the maillog: Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: mail-lf0-f51.google.com [209.85.215.51] not internal Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification successful So I believe postfix is passing both incoming and outgoing mail via opendkim. It's just my setup isn't adding the 'DKIM' into the outgoing mail. Kent. On 13/12/2017, at 8:14 PM, Maartenwrote: Think you are missing something like this in main.cf milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept http://www.postfix.org/postconf.5.html#smtpd_milters
Re: DKIM signing for wildcard sub domains
Hi Maarten, Apologies - I missed this when I was copying my setup. I already have these lines in my /etc/postfix.main.cf file. When an e-mail comes in, I'm seeing these lines in the maillog: > Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: mail-lf0-f51.google.com > [209.85.215.51] not internal > Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated > Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification > successful So I believe postfix is passing both incoming and outgoing mail via opendkim. It's just my setup isn't adding the 'DKIM' into the outgoing mail. Kent. > On 13/12/2017, at 8:14 PM, Maartenwrote: > > > Think you are missing something like this in main.cf > > milter_protocol = 2 > smtpd_milters = inet:localhost:8891 > non_smtpd_milters = $smtpd_milters > milter_default_action = accept > > http://www.postfix.org/postconf.5.html#smtpd_milters
Re: DKIM signing for wildcard sub domains
dkim runs on 8891: tcp0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 969/opendkim This way it will sign the mails, that way you should see something like this: Dec 13 08:14:43 localhost postfix/smtpd[21935]: connect from supernova.feedmebits.nl[46.105.136.80] Dec 13 08:14:43 localhost postfix/smtpd[21935]: Anonymous TLS connection established from supernova.feedmebits.nl[46.105.136.80]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 13 08:14:43 localhost postfix/smtpd[21935]: A1346749: client=supernova.feedmebits.nl[46.105.136.80], sasl_method=CRAM-MD5, sasl_username=maarten Dec 13 08:14:43 localhost postfix/cleanup[21938]: A1346749: hold: header Received: from a.mx.feedmebits.nl (supernova.feedmebits.nl [46.105.136.80])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(Client did not present a certificate)??by supernov from supernova.feedmebits.nl[46.105.136.80]; from=to= proto=ESMTP helo= Dec 13 08:14:43 localhost postfix/cleanup[21938]: A1346749: message-id= Dec 13 08:14:43 localhost opendkim[969]: A1346749: DKIM-Signature field added (s=default, d=feedmebits.nl) On 2017-12-13 08:14, Maarten wrote: Think you are missing something like this in main.cf milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept http://www.postfix.org/postconf.5.html#smtpd_milters On 2017-12-13 03:10, Kent wrote: Hi All, I'm trying to get DKIM signing working on our postfix mail server. We have a wildcard domain *.school.kiwi.We are providing a mail service for our clients - who each have their own sub-domain eg. abc.school.kiwi or cde.school.kiwi I have two servers, both are identical setups running centOS and Postfix 2. One is named mx01.school.kiwi and the other is named mx02.school.kiwi Note: When I created the 'default.private' - I did so on mx01 and copied it to mx02 so they are the same. I assume this is the correct approach ? I've followed the instructions per this page: https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ opendkim: OpenDKIM Filter v2.11.0 I've set up my KeyTable: default._dkim.school.kiwi school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private And my SigningTable: *school.kiwi default._dkim.school.kiwi .school.kiwi default._dkim.school.kiwi This is the current setup. I've tried different variations including *@school.kiwi, *@*school.kiwi, *@.school.kiwi and *@*.school.kiwi My TrustedHosts: 127.0.0.1 ::1 school.kiwi .school.kiwi And finally opendkim.conf itself with: # KeyFile /etc/opendkim/keys/default.private KeyTable/etc/opendkim/KeyTable SigningTablerefile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts This is what I see in the /var/lo/maillog when I send an e-mail to my gmail account. Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 from= Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: message-id= Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: from= , size=4645, nrcpt=1 (queue active) Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: to= , relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK 1513130134 33si417943ply.308 - gsmtp) Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: message-id=<20171213015309.8a3d22084...@mx02.school.kiwi> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender delivery status notification: 8A3D22084427 Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>, size=2632, nrcpt=1 (queue active) Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: to= , relay=schoolkiwi, delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via schoolkiwi service) Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed When I view a received e-mail, I can see the following line in the message headers. DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426 But not DKIM signature itself. I've obviously something, but not sure what to look at next. Any assistance appreciated to get this working with emails from
Re: DKIM signing for wildcard sub domains
Yes and also it is recommended to setup different selector for each server and different key per server. You can test DKIM signature using this website: http://dkimvalidator.com/ Anvar Kuchkartaev an...@anvartay.com Original Message From: Maarten Sent: miércoles, 13 de diciembre de 2017 08:14 To: Postfix users; owner-postfix-us...@postfix.org Subject: Re: DKIM signing for wildcard sub domains Think you are missing something like this in main.cf milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept http://www.postfix.org/postconf.5.html#smtpd_milters On 2017-12-13 03:10, Kent wrote: > Hi All, > > I'm trying to get DKIM signing working on our postfix mail server. > > We have a wildcard domain *.school.kiwi. We are providing a mail > service for our clients - who each have their own sub-domain eg. > abc.school.kiwi or cde.school.kiwi > > > I have two servers, both are identical setups running centOS and > Postfix 2. One is named mx01.school.kiwi and the other is named > mx02.school.kiwi > Note: When I created the 'default.private' - I did so on mx01 and > copied it to mx02 so they are the same. I assume this is the correct > approach ? > > > I've followed the instructions per this page: > https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ >> opendkim: OpenDKIM Filter v2.11.0 > > > > I've set up my KeyTable: >> default._dkim.school.kiwi >> school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private > > > > And my SigningTable: >> *school.kiwi default._dkim.school.kiwi >> .school.kiwi default._dkim.school.kiwi > > This is the current setup. I've tried different variations including > *@school.kiwi, *@*school.kiwi, *@.school.kiwi and *@*.school.kiwi > > > My TrustedHosts: >> 127.0.0.1 >> ::1 >> school.kiwi >> .school.kiwi > > > > And finally opendkim.conf itself with: >> # KeyFile /etc/opendkim/keys/default.private >> KeyTable /etc/opendkim/KeyTable >> SigningTable refile:/etc/opendkim/SigningTable >> ExternalIgnoreList refile:/etc/opendkim/TrustedHosts >> InternalHosts refile:/etc/opendkim/TrustedHosts > > > > This is what I see in the /var/lo/maillog when I send an e-mail to > my gmail account. > >> Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 >> from=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi> >> Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: >> message-id=<fndqjlkx4fdbrd6gt1eku...@school.kiwi> >> Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: >> from=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi>, size=4645, nrcpt=1 >> (queue active) >> Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection >> established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 >> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) >> Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: >> to=<abcdefghi...@gmail.com>, >> relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, >> delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK >> 1513130134 33si417943ply.308 - gsmtp) >> Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: >> message-id=<20171213015309.8a3d22084...@mx02.school.kiwi> >> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender >> delivery status notification: 8A3D22084427 >> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>, >> size=2632, nrcpt=1 (queue active) >> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed >> Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: >> to=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi>, relay=schoolkiwi, >> delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via >> schoolkiwi service) >> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed >> > > > > When I view a received e-mail, I can see the following line in the > message headers. > >> DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426 > > > > But not DKIM signature itself. I've obviously something, but not > sure what to look at next. > > > Any assistance appreciated to get this working with emails from > n...@anysubdomain.school.kiwi > > > thanks > > Kent.
Re: DKIM signing for wildcard sub domains
Think you are missing something like this in main.cf milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept http://www.postfix.org/postconf.5.html#smtpd_milters On 2017-12-13 03:10, Kent wrote: Hi All, I'm trying to get DKIM signing working on our postfix mail server. We have a wildcard domain *.school.kiwi.We are providing a mail service for our clients - who each have their own sub-domain eg. abc.school.kiwi or cde.school.kiwi I have two servers, both are identical setups running centOS and Postfix 2. One is named mx01.school.kiwi and the other is named mx02.school.kiwi Note: When I created the 'default.private' - I did so on mx01 and copied it to mx02 so they are the same. I assume this is the correct approach ? I've followed the instructions per this page: https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ opendkim: OpenDKIM Filter v2.11.0 I've set up my KeyTable: default._dkim.school.kiwi school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private And my SigningTable: *school.kiwi default._dkim.school.kiwi .school.kiwi default._dkim.school.kiwi This is the current setup. I've tried different variations including *@school.kiwi, *@*school.kiwi, *@.school.kiwi and *@*.school.kiwi My TrustedHosts: 127.0.0.1 ::1 school.kiwi .school.kiwi And finally opendkim.conf itself with: # KeyFile /etc/opendkim/keys/default.private KeyTable/etc/opendkim/KeyTable SigningTablerefile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts This is what I see in the /var/lo/maillog when I send an e-mail to my gmail account. Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 from=Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: message-id= Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: from= , size=4645, nrcpt=1 (queue active) Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: to= , relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK 1513130134 33si417943ply.308 - gsmtp) Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: message-id=<20171213015309.8a3d22084...@mx02.school.kiwi> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender delivery status notification: 8A3D22084427 Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>, size=2632, nrcpt=1 (queue active) Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: to= , relay=schoolkiwi, delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via schoolkiwi service) Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed When I view a received e-mail, I can see the following line in the message headers. DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426 But not DKIM signature itself. I've obviously something, but not sure what to look at next. Any assistance appreciated to get this working with emails from n...@anysubdomain.school.kiwi thanks Kent.