What domain name should appear in a DKIM signature

dkimpostfix

I followed these instructions to setup OpenDKIM with Postfix, and it works as advertised. My outgoing mails have the DKIM-Signature header added, for example:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; s=mail;
t=1398638300; bh=mk/7yYUxFCWz+ZHB0opJIA/S3J5ELoPZPfAO0KQdVg4=;
h=Date:From:To:Subject:From;
b=fPPfUliJUgA0re38nkJ2R18TeFgbamOv1U8nDb9958eTeAT6Mp7oq4WGrHPiPmc+b
mrLu9RuW0/S4d0ipkilNZDxgecwl7qttrDbTEkWxdhwwTSe5FL3OBaUoUxJFrMGjmY
RdBjY5ZWtvk29+gXZ+af5Of9OrY7COLlqGkFXRXw=

My question is about the d= parameter above. In cases where one mailserver handles the outgoing mail of multiple virtual domains, should the d= contain the mailserver sending the message? Or should it be the domain that appears in the From: address?

I have tried to read RFC 6376 about this subject, but the only relevant bit I found was:

  d= The SDID claiming responsibility for an introduction of a message
  into the mail stream [...]  The conventions and semantics used by a Signer to
  create and use a specific SDID are outside the scope of this specification

I'm hoping someone here knows how the d= parameter is used in practice.

Best Answer

A DKIM signature from the sender's domain is most reliable, and may be required by the sender's email policies. With the introduction of DMARC it is now possible for domains to publish a policy with desired actions for email which does not meet the policy.

DKIM is intended to match the sender from the header, which may not be the envelope sender. SPF validates the permission of the envelope sender to send mail for the domain using the sending server. DMARC ties the two together, to provide a better policy framework.

All three mechanisms require data to be published in the DNS tree of the domain involved.

DKIM from a third party merely indicates whether or not the signed content has been modified after signing by that domains. This may be useful for repudiation, but not for sender reputation.

Related Solutions

Cannot send mail to postfix mail server

You write:

my domain points to my server as I'm already hosting the website.

This is wrong, and it is one of your two problems.

The name www.one3community.com points to 104.27.163.48, so far so good.

Mail, however, is sent to the MX record of the domain, and failing that it is sent to the IP address of the domain. There is at the time of writing no MX record and no IP address for one3community.com.

If your postfix server was running on the same IP address as your web server, you should add to your DNS:

one3community.com IN A 104.27.163.48
one3community.com IN MX 10 one3community.com.

However, your second problem is that 104.27.163.48 does not reply on TCP port 25, so the above configuration will not fix your problem. Since the machine replying on port 80 seems to be Cloudflare, you should probably consult with them.

Debian – DKIM header exists but signature is not valid

Now the validator at mail-tester.com says the DKIM signature is fine. On the other hand the isnotspam.com still doesn't seem to like it. I assume it is working fine now. Also gmail accepts the email.

The change I made:

I changed the smtpd_tls_cert_file=.. smtpd_tls_key_file=..

to hold the keys for the primary domain. However my VPS contains several domains, so it still remains to be seen what happens with mails from

someone@example2.com

First the postfix SSL certs have absolutely nothing to do with DKIM so that was different issue you had.

Second if you still are getting errors at isnotspam.com then don't assume everything is alright until you get a green light on all tests.

Third create new signatures for each domain and make sure the DNS entry is correct as well as permissions on the signature files.

Also make sure your postfix/main.cf has the proper entries and the .sock actually exists.

    # DKIM / SPF
# --------------------------------------
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Check mail logs for errors, warnings after restart opendkim, should look something like this:

Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter: mi_stop=1
Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter v2.11.0 terminating with status 0, errno = 0
Feb 21 17:18:23 serverdcu opendkim[37449]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)

Best Answer

Related Solutions

Cannot send mail to postfix mail server

Debian – DKIM header exists but signature is not valid

Related Topic