Configure DKIM and DMARC for Multidomain

Questions and answers about how to do stuff
Post Reply
ZimboKraut
Posts: 15
Joined: 19 Jun 2015 16:17

Configure DKIM and DMARC for Multidomain

Post by ZimboKraut »

Updated: 25/08/2022

While a lot of this has been written already, I would like to present this as a little How-To for DKIM in a multidomain environment:

There are a few bits that need to be looked out for:
for one ownership:

Make sure that all files and folders under /etc/opendkim/ have the ownership:

opendkim:opendkim

if you have (like myself) many (email) domains being used, here is a way to reasonably quickly create the keys:
First of all, create a textfile with all the domains (mine is /etc/opendkim/domains.txt):

once you have all the domains in the file, then run the following:

Code: Select all

# while IFS= read -r name; do mkdir -- "/etc/opendkim/keys/$name"; done </etc/opendkim/domains.txt
this will create a subdirectory for each domain

next create the keys:
as this manual is meant for a large number of (email)domains I have a little script (which I would like to call: DKIM-KeyCreat.sh)
While the default key generation is still 1024bit in length, the script will create a 2048bit key.
The switches do the following:

-b 2048 - create a 2048bit key
-d - this specifies the domain.tld. (this comes from the text file containing your domains line by line
-D - specifies the directory where the key-pair is written to
-s - specifies the selector.

Beware
At the end, I will describe what to look out for in the txt file of a 2048bit key.

Code: Select all

#!/usr/bin/bash

filename="$1"
while read -r line; do
    name="$line"
    selector="$name$2"
    opendkim-genkey -b 2048 -d $name -D /etc/opendkim/keys/$name -s $selector
    ls -l /etc/opendkim/keys/$name
done < "$filename"
It took me a while to get my head around the selector.
Like for so many, initially it seemed like an obsolete nuissance, but once you get your head around DKIM, you come to realise, that it is actually quite important and very useful, particulallry when you have multiple services sending out emails for you.
you need to have an separate key for each service and place this in DNS as a TXT record.

In order to identify each key the selector is necessary. The selector is an arbitrary name.

When you look at the script, you will see that selector variable is made up of the domain name (from the file you provide) and a "selector suffix" which I suggest as computer sortable date as in YYYYmmdd.
This will provide a unique name as in domain.tld20220825

This script should be run as follows:

Code: Select all

./DKIM-KeyCreat.sh /etc/opendkim/keys/domains.txt [selector suffix]
to list the keys that have been created you can run the following:

Code: Select all

# while IFS= read -r name; do cat /etc/opendkim/keys/$name/$name*[selector suffix]*.txt ; done </etc/opendkim/keys/domains.txt
Now that you have all the keys created, you need to do the configuration:

specifically for the creation of a large number of domains, here are a few basic scripts to make life a little easier:

This is the content for the /etc/opendkim.conf file

Code: Select all

SendReports     yes   
ReportAddress "domain1.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain2.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain3.net Postmaster <postmaster@domain1.net>"
SoftwareHeader  yes
Canonicalization        relaxed/simple
Here is a little script to make it easier to fill the file and put it in the right format:

Code: Select all

#!/usr/bin/bash
filename="$1"
while read line; do
    name="$line"
    echo "ReportAddress \"$name Postmaster <postmaster@yourmaindomain.com>\""
done < "$filename"
usage:

Code: Select all

# DkimConf-create.sh /path/to/domainlist >> /etc/opendkim.conf
Then for the KeyTable
/etc/opendkim/KeyTable

Code: Select all

domain1._domainkey.domain1.net domain1.net:domain1:/etc/opendkim/keys/domain1.net/domain1.private
domain2._domainkey.domain2.net domain2.net:domain2:/etc/opendkim/keys/domain2.net/domain2.private
domain3._domainkey.domain3.net domain3.net:domain3:/etc/opendkim/keys/domain3.net/domain3.private
here is the "filling" script for large volumes of domains:

Code: Select all

#!/usr/bin/bash
filename="$1"
selector="$name$2"
while read -r line; do
    name="$line"
    selector="$name$2"
    echo "$selector._domainkey.$name $name:$selector:/etc/opendkim/keys/$name/$selector.private"
done < "$filename"
the usage is:

Code: Select all

# KeyTable-create.sh /path/to/domainlist [selector suffix] >> /etc/opendkim/KeyTable
/etc/opendkim/SigningTable

in the following box, this is how it is described in several places, which I found not to be working and giving lots of errors in the logs:

*@domain1.net domain1._domainkey.domain1.net
*@domain2.net domain2._domainkey.domain2.net
*@domain3.net domain3._domainkey.domain3.net


After several trials and errors, the correct (and working) way in eFa should be ("*@" needs to be removed):

Code: Select all

domain1.net domain1._domainkey.domain1.net
domain2.net domain2._domainkey.domain2.net
domain3.net domain3._domainkey.domain3.net
Here is the script to fill the SigningTable file:

Code: Select all

#!/usr/bin/bash
filename="$1"
while read -r line; do
    name="$line"
    selector="$name$2"
    echo "$name $selector._domainkey.$name"
done < "$filename"
to be used as follows:

Code: Select all

# SigningTable-create.sh /path/to/domainlist [selector suffix] >> /etc/opendkim/SigningTable

/etc/opendkim/TrustedHosts

Code: Select all

mx01.mydomain.net # 1st mail exchanger (MX-Record)
mx02.mydomain.net # 2nd mail exchanger (MX-Record)
192.168.4.5/32 (Mailhost/Exchange Server)
Finally:
you need to have the DNS for all the domains:
As most registrars use webinterfaces here are a few tips:

Code: Select all

Record type: TXT
Hostname: selector._domainkey
Value: "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzAzvlGEEl5XLGNwHd/3d8f40+rkqvWVqq82iJFGyFcwXuP90hyyeOhvhZYOtktyrnNWqBEoClp0/0NZyZhxr80kIMLvWawhWtnPllIVOyPMsJ/HZFinWoBGNjW2dXykv7UKsLaGmDcm18kl+HEcMIncnYGCkEIX6KQDlO8A+pqnfSMZxUP4D9lqUhIPPcl1drGb88boT3rOkOzBRMzembN1qsaXI835PfRb4icDZOxE6c9s3qhWnEmci+qumc69VM02dqsXkDgswYyyn0dWyc1A0GRv9+qMdla3KJw28O7gvWFM7l/Yi/OSJ+tntDD2PhdROwMc368GHwqWT+fFhwIDAQAB"
Caveat:
When creating a 2048bit key, the content of the txt file generated cannot be just copied 1:1
the content of the file looks like this:

Code: Select all


# cat /etc/opendkim/keys/domain1.tld/domain1.tld20220825.txt
domain1.tld20220825._domainkey  IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzAzvlGEEl5XLGNwHd/3d8f40+rkqvWVqq82iJFGyFcwXuP90hyyeOhvhZYOtktyrnNWqBEoClp0/0NZyZhxr80kIMLvWawhWtnPllIVOyPMsJ/HZFinWoBGNjW2dXykv7UKsLaGmDcm18k/l+HEcMIncnYGCkEIX6KQDlO8A+pqnfSMZxUP4D9lqUhIPPcl1drGb88boT3rOkO"
          "zBRMzembN1qsaXI835PfRb4icDZOxE6c9s3qhWnEmci+qumc69VM02dqsXkDgswYyyn0dWyc1A0GRv9+qMdla3KJw28O7gvWFM7l/Yi/OSJ+tntDD2PhdROwMc368GHwqWT+fFhwIDAQAB" )  ; ----- DKIM key domain1.tld20220825 for domain1.tld

While there are several sites that tell you to "break up" the key, or use it "broken up" to enter it in DNS. With the registrar that I used (namecheap), you don't!.
Quite the opposite:
Breaking up the key will cause DKIM to break.

So when you enter it, make sure you enter it the same way it is shown and not in the file.

so when you check your DKIM record, you need to enter your domain.tld and the domain.tld[selector suffix] as selector.
you can check your DKIM record for instance at:
https://mxtoolbox.com/SuperTool.aspx?action=dkim

And finally:
Once you have successfully created the DKIM record, you should also create a DMARC record as this goes hand in hand.

The DMARC record too is a TXT record:

Code: Select all

Record type: TXT
Hostname: _dmarc
Value: v=DMARC1;p=quarantine;sp=quarantine;pct=100;rua=mailto:dmarcreports@domain1.tld;ruf=mailto:dmarc.ruf@domain1.tld
Note: These records are just sample configurations. You can take them as is (besides the public key of course :D ) and it is advisable to look further into it. This is just supposed to help you get going

I tried to make this as comprehensive as possible, so that als those with less experience get to master the task in a reasonable time.
Please also ensure that you enable DKIM and DMARC in eFa-configure.

Any suggestions for improvements, error corrections, etc. are always welcome.
Post Reply