How to correctly configure postfix and opendkim and let receiving server know all details mailed-by signed-by?

postfix email-server dkim domainkeys

8,888

First of all, please remove these values (they aren't needed if you use KeyTable):

Domain      example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector    selc

Domain      example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector    selc

Setup your KeyTable like that:

mykey1 example1.com:recordname1:/path/to/domain.key
mykey2 example2.com:recordname2:/path/to/domain.key

Setup your SigningTable like that (note wildcard matching and mykey1 and mykey2 from KeyTable):

*@example1.com mykey1
*@example2.com mykey2

And finally change your opendkim.conf to include SigningTable via refile: prefix (regular expressions support):

SigningTable    refile:/etc/opendkim/SigningTable

And domain record for reference (note recordname1 and recordname2 from KeyTable):

recordname1._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
recordname2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."

Additionally, please, check if you have your node hostname (from which you are sending mail) in InternalHosts file:

server1.example1.com
server2.example2.com
mail.example1.com
mail.example2.com

Again, you can use refile: prefix to be able to add something like:

*.example1.com
*.example2.com

if you have multiple hosts and do not want to include all of them by hand. If you accept only local mail, you should add localhost here.

You should check log file for DKIM notices about skipping signing if your host is missing in the InternalHosts file.

Example of opendkim.conf:

# Set these values (Syslog, SyslogSuccess, LogWhy) for debugging and check syslog for details
Syslog      yes
SyslogSuccess   yes
LogWhy      yes

UMask       002
UserID      opendkim:opendkim

KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/mail/SigningTable
InternalHosts       refile:/etc/mail/hosts

8,888

Karma

Updated on September 18, 2022

Comments

Karma almost 2 years
What I am trying to achieve - Bottomline: mails to go in inbox rather spam folder.

I have a server which is running postfix (mail server) and I have 3 domains. Mail server is used for both incoming and outgoing mails..

I am signing with opendkim and have DNS records in place.

After a long observation, I've realized that messages are going in spam due to incorrect mailed-by and signed-by assignment.

consider, my mail server to be mailserver.example.com and 3 other domains are example1.com, example2.com and example3.com

when someone sends an email from [email protected] , it should display:

[email protected] via mailserver.example.com

mailed-by: mailserver.example.com

signed-by: example1.com

I have observed that mailjet and amazon emails hardly go into spam, the fact is, 'maybe' because the originating hostname / ip reverse resolves to what mailed-by and signed-by are.

Config files:

/etc/opendkim/Keytable
```
mvs._domainkey.example1.com example1.com:selc:/etc/opendkim/keys/example1_com/selc.private
mvs._domainkey.example2.com example2.com:selc:/etc/opendkim/keys/example2_com/selc.private
```
/etc/opendkim.conf
```
Domain          example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector        selc

Domain          example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector        selc

Canonicalization    simple
Mode            sv
Syslog                  yes
LogWhy                  yes
UMask                   022
UserID                  opendkim:opendkim
KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts
Socket                  inet:34562@localhost
X-Header        no
```
and finally

/etc/opendkim/SigningTable
```
example1.com selc._domainkey.example1.com
example2.com selc._domainkey.example2.com
```
Where am I missing?
Karma over 10 years

Hey fantastic! Lemme try out...
Karma over 10 years

mykey1 example1.com:recordname1:/path/to/domain.key mykey2 example2.com:recordname2:/path/to/domain.key mykey1 and mykey2 = DNS TXT record key names?
Karma over 10 years

What is an InternalHosts. Rest all done...
Karma over 10 years

my externalIgnreList and InternalHosts are same file... is that correct?
Karma over 10 years

done... now I am getting Relay access denied - SMTP error 554
Karma over 10 years

Can you show an example file...?
Karma over 10 years

Hi, I just tried that... it says mailed-by - example1, signed-by - example1... but I sending email via example2...
GeekMagus over 10 years

Are you sure what SigningTable is correctly configured? *@example1.com mykey1 <== *@example2.com mykey2 <== note mykey1 and mymkey2
Karma over 10 years

yes... SigningTable is correct... Also, Gmail tells me, signed-by example.com but I want mailed-by to be the server from where emails are being sent... as in... we are hosted solutions...
GeekMagus over 10 years

ExternalIgnoreList is used to suppress LOG messages like "External host trying to send mail via our SMTP server"
GeekMagus over 10 years

Do you have "dkim=pass" in message source (which come to your gmail)? Or dkim= neutral or fail?
GeekMagus over 10 years

let us continue this discussion in chat