Home / server / Questions / 839458
In Process
cytopia
Asked: 2017-03-21 08:04:54 +0800 CST

Adding DKIM DNS record - can something go wrong?

  • 772

I have a working external managed mail system for our company domain. Additionally I am currently trying to setup a second mailserver (which I have control over) for the same domain with DKIM with postfix.

The externally managed main mail server should continue to send emails normally via its own DKIM signatures, the newly created mailserver should start signing with its key.

I will be able to use either of these mailservers for sending mails.

Now my concern is:

If I add DKIM signatures to my domain's DNS records, will I still be able to safely send mails via the primary managed mailserver that also does DKIM or will it then complain somehow.

I just want to make sure, that mails from the managed mailserver (with its own DKIM) will not be treated as SPAM once DKIM is enabled for the secondary mailserver.

Also to note, the managed mailserver already has two DKIM DNS records: (Note: there is whysover no domain part in the DNS name entry)

key2._domainkey.reply
key2._domainkey.returnpath

The name part looks strange as I thought the domain name itself must be present...

The following is what I want to add now:

host1._domainkey.DOMAIN.TLD

Can they interfere somehow?

Update

Added note that the already configured DNS record does not include the domain name in its name field for DKIM

domain-name-system

1 Answers

  1. The short answer is that they shouldn't interfere, but that unless your setup is more complicated than you explained, something is weird.

    In more details, DKIM has a built-in feature called selectors which is designed to handle multiple hosts/daemons actually signing emails for the same domain. See section 3.1 of RFC 6376. Basically, that is the part before the _domainkey in the DNS record, which allows you to setup as many signing services as you need. Once a signature is received, it will contain the selector that did the signing and only its DNS record will be checked.

    Here, you have two DNS entries:

    • One defines selector key2 for the domain reply.DOMAIN.TLD (assuming the line you pasted is from the zone DOMAIN.TLD)
    • The other defines selector key2 for the domain returnpath.DOMAIN.TLD

    Note that despite sharing the same selector name, there is no relation between them in DKIM as a selector is defined for a domain and that the domains here are not the same. However, it typically is used to allow the same key on two domains.

    Now you propose to add a new DKIM entry, for the selector host1 of domain DOMAIN.TLD (without any subdomain). Note that unless you set-it up as strict (s flag in the DNS record), this key will be able to sign subdomains, including reply.DOMAIN.TLD and returnpath.DOMAIN.TLD.

    Hence this will work. However, I'm not sure this behavior (a first key that is allowed on 2 subdomains and a new key that will be allowed on the parent domain and all the subdomains) is what you intended.

    • 0