First of all, please remove these values (they aren't needed if you use KeyTable):
Domain example1.com
KeyFile /etc/opendkim/keys/example1_com/selc
Selector selc
Domain example2.com
KeyFile /etc/opendkim/keys/example2_com/selc
Selector selc
Setup your KeyTable like that:
mykey1 example1.com:recordname1:/path/to/domain.key
mykey2 example2.com:recordname2:/path/to/domain.key
Setup your SigningTable like that (note wildcard matching and mykey1 and mykey2 from KeyTable):
*@example1.com mykey1
*@example2.com mykey2
And finally change your opendkim.conf to include SigningTable via refile: prefix (regular expressions support):
SigningTable refile:/etc/opendkim/SigningTable
And domain record for reference (note recordname1 and recordname2 from KeyTable):
recordname1._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
recordname2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
Additionally, please, check if you have your node hostname (from which you are sending mail) in InternalHosts file:
server1.example1.com
server2.example2.com
mail.example1.com
mail.example2.com
Again, you can use refile: prefix to be able to add something like:
*.example1.com
*.example2.com
if you have multiple hosts and do not want to include all of them by hand. If you accept only local mail, you should add localhost here.
You should check log file for DKIM notices about skipping signing if your host is missing in the InternalHosts file.
Example of opendkim.conf:
# Set these values (Syslog, SyslogSuccess, LogWhy) for debugging and check syslog for details
Syslog yes
SyslogSuccess yes
LogWhy yes
UMask 002
UserID opendkim:opendkim
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/mail/SigningTable
InternalHosts refile:/etc/mail/hosts
You can replace mailed-by: us-west-2.amazonses.com
with mailed by: sub.example.com
but not with mailed-by: example.com
.
In other words, unnaked domain (with subdomain) like sub.example.com
is possible but naked domain like example.com
is impossible to replace with us-west-2.amazonses.com
for mailed-by
.
To replace us-west-2.amazonses.com
with sub.example.com
for mailed-by
, you must create a custom MAIL FROM domain
.
The below is how you create the custom MAIL FROM domain sub.example.com
.
Click on the domain example.com
.
Then, the detail is shown.
Then, click on MAIL FROM Domain
to show Set MAIL FROM Domain
button.
Then, clicking on Set MAIL FROM Domain
button, the window is open.
Then, put the subdomain "sub" to the field and click on Set MAIL FROM Domain
button.
Then, the MX Record
and SPF Record
are shown. You must add the MX Record
and SPF Record
to Route 53
in addition to the records of the domain example.com
to verify the custom MAIL FROM domain sub.example.com
.
Finally, check if the custom MAIL FROM domain sub.example.com
is verified under MAIL FROM domain
section.
If MAIL FROM domain status
is still pending verification
, click on retry
in blue.
Then, it will be verified.
After the custom MAIL FROM domain is verified, mailed-by
is sub.example.com
whether or not you send emails using example.com
or sub.example.com
and whether or not your account is in the sandbox.
Best Answer
To achieve this successfully - we had to verify the main domain which we wanted to sign with in case of email identities. Example mydomain.com is the domain, we verified that domian including setting the MAIL FROM domain in it.
Then, we went ahead and verified the single email identity we wanted to send and sign it with mydomain.com. I used my personal email but for this example we will use [email protected].
Finally we had to tweak the FROM header like so in PHP before hitting the AWS PHP SDK for SES and call the
sendRawEmail
methodFinal solution was that Gmail said from header was: