How to Configure DKIM | Multiple Domains

Questions and answers about how to do stuff
Post Reply
jamerson
Posts: 163
Joined: 19 Aug 2017 18:57
Location: kaaskop

How to Configure DKIM | Multiple Domains

Post by jamerson »

Dear all,
hierby i will explain how to get your EFA configured to check the DKIM signature of out /incoming emails.
lets assune your domain is efa.org
make a folder on the opendkim

Code: Select all

mkdir -p /etc/opendkim/keys/efa.org/
browse to

Code: Select all

cd /etc/opendkim/keys/efa.org/
run the below to generate the private and txt key

Code: Select all

opendkim-genkey -s efa
open the below with nano or vi

Code: Select all

 /etc/opendkim.conf
first line to check:
Mode sv
if it is just v change to sv

than look for word Socket inet= if it does exisit than its looks good
now move to

Code: Select all

SendReports     yes   

ReportAddress "efa.org Postmaster <postmaster@efa.org>"
SoftwareHeader  yes
 Canonicalization        relaxed/simple


find the

Code: Select all

KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
xternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
save the file now

next, edit /etc/opendkim/KeyTable

so open the the file /etc/opendkim/KeyTable with nano or vi

Code: Select all

 add this line to the end:
 efa._domainkey.efa.org efa.org:efa:/etc/opendkim/keys/efa.org/efa.private
save file

now edit /etc/opendkim/SigningTable

again open the file /etc/opendkim/SigningTable with nano or vi

add this at the end of the file

Code: Select all

*@efa.org efa._domainkey.efa.org
Save the file we are almost done :)

edit /etc/opendkim/TrustedHosts
so open the file /etc/opendkim/TrustedHosts with vi or nano
and add this to the end

Code: Select all

mail.efa.org
192.168.4.5/32
mail.efa.org is your mx record
192.168.4.5/32 is your exchange ip


edit /etc/postfix/main.cf

again open the file edit /etc/postfix/main.cf with nano or vi
go to very end of the file

Code: Select all

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

save the file

now start opendkim

Code: Select all

service opendkim start
reload post fix

Code: Select all

service postfix reload
in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org

the tutorial is finshied,
if you have any questions let me know.
Last edited by jamerson on 18 Dec 2018 00:14, edited 1 time in total.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
bvess
Posts: 4
Joined: 12 Nov 2018 07:31

Re: How to Configure DKIM | Multiple Domains

Post by bvess »

At the end of your tutorial you stated to add the below to your DNS. Is this just a text record like for spf? What would the hostname be? The efa hostname or the sending domain?

in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org
jamerson
Posts: 163
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How to Configure DKIM | Multiple Domains

Post by jamerson »

bvess wrote: 13 Nov 2018 23:31 At the end of your tutorial you stated to add the below to your DNS. Is this just a text record like for spf? What would the hostname be? The efa hostname or the sending domain?

in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org
its just your postmaster domain you will get the daily reports.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
ZimboKraut
Posts: 10
Joined: 19 Jun 2015 16:17

Re: How to Configure DKIM | Multiple Domains

Post by ZimboKraut »

While this thread is already quite old, and in general, the information is very good.
I am just missing a few details:
Maybe it's just me being a little difficult.

IT is specifically stated, that it is for multiple domains.
Could someone (just to put my mind at ease ;-) )
possibly highlight where the entries for multiple domains need to be made?
I do believe I know and understand, but just would like to be certain.
for instance in the /etc/opendkim.conf

Code: Select all

SendReports     yes   
ReportAddress "domain1.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain2.net Postmaster <postmaster@domain2.net>"
ReportAddress "domain3.net Postmaster <postmaster@domain3.net>"
SoftwareHeader  yes
 Canonicalization        relaxed/simple
Then for the file:
KeyTable /etc/opendkim/KeyTable

Code: Select all

 domain1._domainkey.domain1.net domain1.net:domain1:/etc/opendkim/keys/domain1.net/domain1.private
 domain1._domainkey.domain2.net domain2.net:domain2:/etc/opendkim/keys/domain2.net/domain2.private
 domain1._domainkey.domain3.net domain3.net:domain3:/etc/opendkim/keys/domain3.net/domain3.private
 
/etc/opendkim/SigningTable

Code: Select all

*@domain1.net domain1._domainkey.domain1.net
*@domain2.net domain2._domainkey.domain2.net
*@domain3.net domain3._domainkey.domain3.net
/etc/opendkim/TrustedHosts

Code: Select all

mx01.mydomain.net # 1st mail exchanger (MX-Record)
mx02.mydomain.net # 2nd mail exchanger (MX-Record)
192.168.4.5/32 (Mailhost/Exchange Server)
can someone confirm/correct this?

Thank you
User avatar
pdwalker
Posts: 1466
Joined: 18 Mar 2015 09:16

Re: How to Configure DKIM | Multiple Domains

Post by pdwalker »

for "ReportAddress" in /etc/opendkim.conf, only use 1 email address.

your /etc/opendkim/KeyTable is correct.

your /etc/opendkim/SigningTable is correct.

your /etc/opendkim/TrustedHosts looks correct.

My own multidomain configuration matches yours and it works for me.

Did you test your dkim from the 3 domains individually?

Hope that helps.
ZimboKraut
Posts: 10
Joined: 19 Jun 2015 16:17

Re: How to Configure DKIM | Multiple Domains

Post by ZimboKraut »

Thank you very much for confirming.
I will test it out now.
The challenge is, that I have more than 60 active domains running.
Any one have experience with running DKIM on two mail exchangers?

Should I create a separate DKIM record for each MTA (EFA instance :-) ) or can the same keypair be used (yes, I am aware that it wouldn't be good practice ;-) )

Thank you
Post Reply