I was able to setup a Single DKIM Key for multiple domains with OPENDKIM by using their KeyTables and SigningTable. But since the company started to use RSPAMD, I could not use OPENDKIM along with RSPAMD anymore, and required to use DKIM Signing Module by RSPAMD.
It's a long story, but I ended up in this situation where I need to setup a Single DKIM Key for other company brands domains. Usually, I would do this in OPENDKIM:
*@maincorp.com mail._domainkey.maincorp.com
*@brand1.com mail._domainkey.maincorp.com
*@brand2.com mail._domainkey.maincorp.com
But, how to do it in RSPAMD DKIM Signing? I have tried several ways without succeed by browsing and using RSPAMD docs. Is it possible to use a single DKIM Key for multiple domains DKIM Signing in RSPAMD just like in OPENDKIM?
Please note that, so far from my tryouts:
On a 1-to-1 scheme, that is DKIM Signing with different DKIM Keys for different domains were working so far. But I need 1-to-N scheme, 1 DKIM Key for Multiple Domains.
For notes:
- I understood, that I could simply add a CNAME Record pointing to the maincorp.com _domainkey for every brands domain names. But, every brand domain names is registered in another country domain registrar which I do not have an immediate access to it (it would be a quite long bureaucracy), therefore this is unlikely.
- I was using Opendkim and Spamassassin, and got this matter appointed at no. 1 working well, but now that Spamassassin replaced with RSPAMD and Opendkim is not being used anymore.
Thank you,
Thomas
For your reference here is my DKIM Signing config in local.d/dkim_signing.conf:
My local.d/dkim_signing.conf:
enabled = true;
If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = false;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
allow_username_mismatch = true;
# If false, messages from authenticated users are not selected for signing
auth_only = true;
# Default path to key, can include '$domain' and '$selector' variables
#path = "/etc/opendkim/userkeys/$domain/$selector.private";
path = "/etc/opendkim/keys/mailcorp.com/mail.private";
# Default selector to use
#selector = "default";
selector = "mail";
# If false, messages from local networks are not selected for signing
sign_local = true;
# Map file of IP addresses/subnets to consider for signing
# sign_networks = "/some/file"; # or url
# Symbol to add when message is signed
symbol = "DKIM_SIGNED";
# Whether to fallback to global config
try_fallback = false;
selector_map = "/etc/rspamd/dkim_selectors.map";
path_map = "/etc/rspamd/dkim_paths.map";
# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
use_domain = "header";
# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
use_domain_sign_networks = "header";
# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
use_domain_sign_local = "header";
# Whether to normalise domains to eSLD
use_esld = false;
# Whether to get keys from Redis
# Not using redis, keys coming from files in /etc/opendkim
use_redis = false;
# Hash for DKIM keys in Redis
key_prefix = "DKIM_KEYS";
My /etc/rspamd/dkim_selectors.map:
maincorp.com mail
brand1.com mail
brand2.com mail
And my /etc/rspamd/dkim_paths.map:
maincorp.com /etc/opendkim/keys/mancorp.com/mail.private
brand1.com /etc/opendkim/keys/mancorp.com/mail.private
brand2.com /etc/opendkim/keys/mancorp.com/mail.private
Using the configuration above at local.d/dkim_signing.conf resulting as in the following results:
- When an email is sent from @mailcorp.com, it has no problem and DKIM will be signed. Why? because at DNS mailcorp.com it has _domainkey.
- But, when an email is sent from @brand1.com and @brand2.com DKIM will not be signed, unless I added CNAME record in brand1.com and brand2.com, which I did not want to from the first time.
What is needed to be done (THE MAIN GOAL), which is not yet ACHIEVED using the configuration above is and I need your help:
The goal is to be able for brand1.com and brand2.com got signed by an existing single DKIM Key which was already implemented in TXT Record in maincorp.com, without the need to add either CNAME or TXT Record _domainkey in each brand1.com and brand2.com DNS Panel.
As for maincorp.com it is already working because it has TXT Record of the mail._domainkey.maincorp.com in the DNS Panel. But not working for brand1.com and brand2.com.
Please help...
UPDATE April 9th, 2019:
I found out that this feature I needed is unfortunately not yet supported by RSPAMD yet, at least at the time of this being questioned. Well, hopefully they would then enable it.
So, for now, I would just have to add CNAME record to brand1.com and brand2.com so DKIM would be valid and signed :(.
Thank you so much for the patience and help! Have a great day!
To make it easier for people stumbling over the same question. Here is an example on how to use the key - and signing table, mentioned in the comments above, so that you can sign every from domain and use the selector from your domain instead of the from domain:
Alternatively just sign every domain
This will result in the following dkim signature:
Official rspamd dkim_signing documentation