While a lot of this has been written already, I would like to present this as a little How-To for DKIM in a multidomain environment:
There are a few bits that need to be looked out for:
for one ownership:
Make sure that all files and folders under /etc/opendkim/ have the ownership:
opendkim:opendkim
if you have (like myself) many (email) domains being used, here is a way to reasonably quickly create the keys:
First of all, create a textfile with all the domains (mine is /etc/opendkim/domains.txt):
once you have all the domains in the file, then run the following:
Code: Select all
# while IFS= read -r name; do mkdir -- "/etc/opendkim/keys/$name"; done </etc/opendkim/domains.txt
next create the keys:
as this manual is meant for a large number of (email)domains I have a little script (which I would like to call: DKIM-KeyCreat.sh)
While the default key generation is still 1024bit in length, the script will create a 2048bit key.
The switches do the following:
-b 2048 - create a 2048bit key
-d - this specifies the domain.tld. (this comes from the text file containing your domains line by line
-D - specifies the directory where the key-pair is written to
-s - specifies the selector.
Beware
At the end, I will describe what to look out for in the txt file of a 2048bit key.
Code: Select all
#!/usr/bin/bash
filename="$1"
while read -r line; do
name="$line"
selector="$name$2"
opendkim-genkey -b 2048 -d $name -D /etc/opendkim/keys/$name -s $selector
ls -l /etc/opendkim/keys/$name
done < "$filename"
Like for so many, initially it seemed like an obsolete nuissance, but once you get your head around DKIM, you come to realise, that it is actually quite important and very useful, particulallry when you have multiple services sending out emails for you.
you need to have an separate key for each service and place this in DNS as a TXT record.
In order to identify each key the selector is necessary. The selector is an arbitrary name.
When you look at the script, you will see that selector variable is made up of the domain name (from the file you provide) and a "selector suffix" which I suggest as computer sortable date as in YYYYmmdd.
This will provide a unique name as in domain.tld20220825
This script should be run as follows:
Code: Select all
./DKIM-KeyCreat.sh /etc/opendkim/keys/domains.txt [selector suffix]
Code: Select all
# while IFS= read -r name; do cat /etc/opendkim/keys/$name/$name*[selector suffix]*.txt ; done </etc/opendkim/keys/domains.txt
specifically for the creation of a large number of domains, here are a few basic scripts to make life a little easier:
This is the content for the /etc/opendkim.conf file
Code: Select all
SendReports yes
ReportAddress "domain1.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain2.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain3.net Postmaster <postmaster@domain1.net>"
SoftwareHeader yes
Canonicalization relaxed/simple
Code: Select all
#!/usr/bin/bash
filename="$1"
while read line; do
name="$line"
echo "ReportAddress \"$name Postmaster <postmaster@yourmaindomain.com>\""
done < "$filename"
Code: Select all
# DkimConf-create.sh /path/to/domainlist >> /etc/opendkim.conf
/etc/opendkim/KeyTable
Code: Select all
domain1._domainkey.domain1.net domain1.net:domain1:/etc/opendkim/keys/domain1.net/domain1.private
domain2._domainkey.domain2.net domain2.net:domain2:/etc/opendkim/keys/domain2.net/domain2.private
domain3._domainkey.domain3.net domain3.net:domain3:/etc/opendkim/keys/domain3.net/domain3.private
Code: Select all
#!/usr/bin/bash
filename="$1"
selector="$name$2"
while read -r line; do
name="$line"
selector="$name$2"
echo "$selector._domainkey.$name $name:$selector:/etc/opendkim/keys/$name/$selector.private"
done < "$filename"
Code: Select all
# KeyTable-create.sh /path/to/domainlist [selector suffix] >> /etc/opendkim/KeyTable
in the following box, this is how it is described in several places, which I found not to be working and giving lots of errors in the logs:
*@domain1.net domain1._domainkey.domain1.net
*@domain2.net domain2._domainkey.domain2.net
*@domain3.net domain3._domainkey.domain3.net
After several trials and errors, the correct (and working) way in eFa should be ("*@" needs to be removed):
Code: Select all
domain1.net domain1._domainkey.domain1.net
domain2.net domain2._domainkey.domain2.net
domain3.net domain3._domainkey.domain3.net
Code: Select all
#!/usr/bin/bash
filename="$1"
while read -r line; do
name="$line"
selector="$name$2"
echo "$name $selector._domainkey.$name"
done < "$filename"
Code: Select all
# SigningTable-create.sh /path/to/domainlist [selector suffix] >> /etc/opendkim/SigningTable
/etc/opendkim/TrustedHosts
Code: Select all
mx01.mydomain.net # 1st mail exchanger (MX-Record)
mx02.mydomain.net # 2nd mail exchanger (MX-Record)
192.168.4.5/32 (Mailhost/Exchange Server)
you need to have the DNS for all the domains:
As most registrars use webinterfaces here are a few tips:
Code: Select all
Record type: TXT
Hostname: selector._domainkey
Value: "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzAzvlGEEl5XLGNwHd/3d8f40+rkqvWVqq82iJFGyFcwXuP90hyyeOhvhZYOtktyrnNWqBEoClp0/0NZyZhxr80kIMLvWawhWtnPllIVOyPMsJ/HZFinWoBGNjW2dXykv7UKsLaGmDcm18kl+HEcMIncnYGCkEIX6KQDlO8A+pqnfSMZxUP4D9lqUhIPPcl1drGb88boT3rOkOzBRMzembN1qsaXI835PfRb4icDZOxE6c9s3qhWnEmci+qumc69VM02dqsXkDgswYyyn0dWyc1A0GRv9+qMdla3KJw28O7gvWFM7l/Yi/OSJ+tntDD2PhdROwMc368GHwqWT+fFhwIDAQAB"
When creating a 2048bit key, the content of the txt file generated cannot be just copied 1:1
the content of the file looks like this:
Code: Select all
# cat /etc/opendkim/keys/domain1.tld/domain1.tld20220825.txt
domain1.tld20220825._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzAzvlGEEl5XLGNwHd/3d8f40+rkqvWVqq82iJFGyFcwXuP90hyyeOhvhZYOtktyrnNWqBEoClp0/0NZyZhxr80kIMLvWawhWtnPllIVOyPMsJ/HZFinWoBGNjW2dXykv7UKsLaGmDcm18k/l+HEcMIncnYGCkEIX6KQDlO8A+pqnfSMZxUP4D9lqUhIPPcl1drGb88boT3rOkO"
"zBRMzembN1qsaXI835PfRb4icDZOxE6c9s3qhWnEmci+qumc69VM02dqsXkDgswYyyn0dWyc1A0GRv9+qMdla3KJw28O7gvWFM7l/Yi/OSJ+tntDD2PhdROwMc368GHwqWT+fFhwIDAQAB" ) ; ----- DKIM key domain1.tld20220825 for domain1.tld
Quite the opposite:
Breaking up the key will cause DKIM to break.
So when you enter it, make sure you enter it the same way it is shown and not in the file.
so when you check your DKIM record, you need to enter your domain.tld and the domain.tld[selector suffix] as selector.
you can check your DKIM record for instance at:
https://mxtoolbox.com/SuperTool.aspx?action=dkim
And finally:
Once you have successfully created the DKIM record, you should also create a DMARC record as this goes hand in hand.
The DMARC record too is a TXT record:
Code: Select all
Record type: TXT
Hostname: _dmarc
Value: v=DMARC1;p=quarantine;sp=quarantine;pct=100;rua=mailto:dmarcreports@domain1.tld;ruf=mailto:dmarc.ruf@domain1.tld
I tried to make this as comprehensive as possible, so that als those with less experience get to master the task in a reasonable time.
Please also ensure that you enable DKIM and DMARC in eFa-configure.
Any suggestions for improvements, error corrections, etc. are always welcome.