How to correctly configure postfix and opendkim and let receiving server know all details mailed-by signed-by?
First of all, please remove these values (they aren't needed if you use KeyTable):
Domain example1.com
KeyFile /etc/opendkim/keys/example1_com/selc
Selector selc
Domain example2.com
KeyFile /etc/opendkim/keys/example2_com/selc
Selector selc
Setup your KeyTable like that:
mykey1 example1.com:recordname1:/path/to/domain.key
mykey2 example2.com:recordname2:/path/to/domain.key
Setup your SigningTable like that (note wildcard matching and mykey1 and mykey2 from KeyTable):
*@example1.com mykey1
*@example2.com mykey2
And finally change your opendkim.conf to include SigningTable via refile: prefix (regular expressions support):
SigningTable refile:/etc/opendkim/SigningTable
And domain record for reference (note recordname1 and recordname2 from KeyTable):
recordname1._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
recordname2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
Additionally, please, check if you have your node hostname (from which you are sending mail) in InternalHosts file:
server1.example1.com
server2.example2.com
mail.example1.com
mail.example2.com
Again, you can use refile: prefix to be able to add something like:
*.example1.com
*.example2.com
if you have multiple hosts and do not want to include all of them by hand. If you accept only local mail, you should add localhost here.
You should check log file for DKIM notices about skipping signing if your host is missing in the InternalHosts file.
Example of opendkim.conf:
# Set these values (Syslog, SyslogSuccess, LogWhy) for debugging and check syslog for details
Syslog yes
SyslogSuccess yes
LogWhy yes
UMask 002
UserID opendkim:opendkim
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/mail/SigningTable
InternalHosts refile:/etc/mail/hosts
Related videos on Youtube
![Karma](https://i.stack.imgur.com/6dCIP.jpg?s=256&g=1)
Karma
Updated on September 18, 2022Comments
-
Karma almost 2 years
What I am trying to achieve - Bottomline: mails to go in inbox rather spam folder.
I have a server which is running postfix (mail server) and I have 3 domains. Mail server is used for both incoming and outgoing mails..
I am signing with opendkim and have DNS records in place.
After a long observation, I've realized that messages are going in spam due to incorrect mailed-by and signed-by assignment.
consider, my mail server to be mailserver.example.com and 3 other domains are example1.com, example2.com and example3.com
when someone sends an email from [email protected] , it should display:
[email protected] via mailserver.example.com
mailed-by: mailserver.example.com
signed-by: example1.com
I have observed that mailjet and amazon emails hardly go into spam, the fact is, 'maybe' because the originating hostname / ip reverse resolves to what mailed-by and signed-by are.
Config files:
/etc/opendkim/Keytable
mvs._domainkey.example1.com example1.com:selc:/etc/opendkim/keys/example1_com/selc.private mvs._domainkey.example2.com example2.com:selc:/etc/opendkim/keys/example2_com/selc.private
/etc/opendkim.conf
Domain example1.com KeyFile /etc/opendkim/keys/example1_com/selc Selector selc Domain example2.com KeyFile /etc/opendkim/keys/example2_com/selc Selector selc Canonicalization simple Mode sv Syslog yes LogWhy yes UMask 022 UserID opendkim:opendkim KeyTable /etc/opendkim/KeyTable SigningTable /etc/opendkim/SigningTable ExternalIgnoreList /etc/opendkim/TrustedHosts InternalHosts /etc/opendkim/TrustedHosts Socket inet:34562@localhost X-Header no
and finally
/etc/opendkim/SigningTable
example1.com selc._domainkey.example1.com example2.com selc._domainkey.example2.com
Where am I missing?
-
Karma over 10 yearsHey fantastic! Lemme try out...
-
Karma over 10 yearsmykey1 example1.com:recordname1:/path/to/domain.key mykey2 example2.com:recordname2:/path/to/domain.key mykey1 and mykey2 = DNS TXT record key names?
-
Karma over 10 yearsWhat is an
InternalHosts
. Rest all done... -
Karma over 10 yearsmy externalIgnreList and InternalHosts are same file... is that correct?
-
Karma over 10 yearsdone... now I am getting Relay access denied - SMTP error 554
-
Karma over 10 yearsCan you show an example file...?
-
Karma over 10 yearsHi, I just tried that... it says mailed-by - example1, signed-by - example1... but I sending email via example2...
-
GeekMagus over 10 yearsAre you sure what SigningTable is correctly configured? *@example1.com mykey1 <== *@example2.com mykey2 <== note mykey1 and mymkey2
-
Karma over 10 yearsyes... SigningTable is correct... Also, Gmail tells me, signed-by example.com but I want mailed-by to be the server from where emails are being sent... as in... we are hosted solutions...
-
GeekMagus over 10 yearsExternalIgnoreList is used to suppress LOG messages like "External host trying to send mail via our SMTP server"
-
GeekMagus over 10 yearsDo you have "dkim=pass" in message source (which come to your gmail)? Or dkim= neutral or fail?
-
GeekMagus over 10 years