Postfix and OpenDKIM – How to Configure and Inform Receiving Server

dkimdomainkeysemail-serverpostfix

What I am trying to achieve – Bottomline:
mails to go in inbox rather spam folder.

I have a server which is running postfix (mail server) and I have 3 domains.
Mail server is used for both incoming and outgoing mails..

I am signing with opendkim and have DNS records in place.

After a long observation, I've realized that messages are going in spam due to incorrect mailed-by and signed-by assignment.

consider, my mail server to be mailserver.example.com and 3 other domains are example1.com, example2.com and example3.com

when someone sends an email from admin@example1.com , it should display:

admin@example1.com via mailserver.example.com

mailed-by: mailserver.example.com

signed-by: example1.com

I have observed that mailjet and amazon emails hardly go into spam, the fact is, 'maybe' because the originating hostname / ip reverse resolves to what mailed-by and signed-by are.

Config files:

/etc/opendkim/Keytable

mvs._domainkey.example1.com example1.com:selc:/etc/opendkim/keys/example1_com/selc.private
mvs._domainkey.example2.com example2.com:selc:/etc/opendkim/keys/example2_com/selc.private

/etc/opendkim.conf

Domain          example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector        selc

Domain          example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector        selc

Canonicalization    simple
Mode            sv
Syslog                  yes
LogWhy                  yes
UMask                   022
UserID                  opendkim:opendkim
KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts
Socket                  inet:34562@localhost
X-Header        no

and finally

/etc/opendkim/SigningTable

example1.com selc._domainkey.example1.com
example2.com selc._domainkey.example2.com

Where am I missing?

Best Answer

First of all, please remove these values (they aren't needed if you use KeyTable):

Domain      example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector    selc

Domain      example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector    selc

Setup your KeyTable like that:

mykey1 example1.com:recordname1:/path/to/domain.key
mykey2 example2.com:recordname2:/path/to/domain.key

Setup your SigningTable like that (note wildcard matching and mykey1 and mykey2 from KeyTable):

*@example1.com mykey1
*@example2.com mykey2

And finally change your opendkim.conf to include SigningTable via refile: prefix (regular expressions support):

SigningTable    refile:/etc/opendkim/SigningTable

And domain record for reference (note recordname1 and recordname2 from KeyTable):

recordname1._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
recordname2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."

Additionally, please, check if you have your node hostname (from which you are sending mail) in InternalHosts file:

server1.example1.com
server2.example2.com
mail.example1.com
mail.example2.com

Again, you can use refile: prefix to be able to add something like:

*.example1.com
*.example2.com

if you have multiple hosts and do not want to include all of them by hand. If you accept only local mail, you should add localhost here.

You should check log file for DKIM notices about skipping signing if your host is missing in the InternalHosts file.

Example of opendkim.conf:

# Set these values (Syslog, SyslogSuccess, LogWhy) for debugging and check syslog for details
Syslog      yes
SyslogSuccess   yes
LogWhy      yes

UMask       002
UserID      opendkim:opendkim

KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/mail/SigningTable
InternalHosts       refile:/etc/mail/hosts
Related Topic