DKIM keys for specific domains + multiple domains

Marc Pujol shadow+amavis at la3.org
Tue Mar 26 20:55:09 CET 2019 

A 26/03/2019 19:42, John Luk escrigué:

> dkim_key('domain1.com', "dkim", "/var/lib/dkim/domain1.com.pem");
> dkim_key('domain2.com', "dkim", "/var/lib/dkim/domain2.com.pem");
> dkim_key('others.com', "dkim", "/var/lib/dkim/others.com.pem");
> @dkim_signature_options_bysender_maps = ( {
>     "."  => { d => "others.com", a => 'rsa-sha256', ttl => 10*24*3600 
> },
> });
> 
> In my understanding the above would:
> 
> * sign domain1.com using that domain1.com key
> * sign domain2.com using that domain2.com key
> 
> * sign domainX.com using that others.com key
> * sign domainY.com using that others.com key
> 
> Is that true?

I don't think it is. The dkim_key entries only setup which keys are 
available, and then @dkim_signature_options_bysender_maps is what 
defines which signing domain to use depending on the sender address. 
Double-check the docs:

https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-sign 
(point 7).

In your case, you only have a catchall entry specifying that everything 
should be signed with under the others.com domain (and you only have one 
kay for that domain, so everything will be signed under d=others.com 
with the /var/lib/dkim/others.com.pem key).

The correct setup would be:

dkim_key('domain1.com', "dkim", "/var/lib/dkim/domain1.com.pem");
dkim_key('domain2.com', "dkim", "/var/lib/dkim/domain2.com.pem");
dkim_key('others.com', "dkim", "/var/lib/dkim/others.com.pem");
@dkim_signature_options_bysender_maps = ( {
     ".domain1.com"  => { d => "domain1.com", a => 'rsa-sha256', ttl => 
10*24*3600 },
     ".domain2.com"  => { d => "domain2.com", a => 'rsa-sha256', ttl => 
10*24*3600 },
     "."  => { d => "others.com", a => 'rsa-sha256', ttl => 10*24*3600 },
});

Comments:

- Notice that the signing domain doesn't need to be the same as the 
sender domain. For instance, gmail will sign all its outgoing mails 
under the gmail.com domain, even gmail for businesses with their own 
domain. In this example all emails except those of domain1.com and 
domain2.com would be signed under the others.com domain (not under their 
own).

- Like in other maps, ".domain1.com" (with the initial dot) matches both 
domain1.com domain and any of its subdomains, whereas "domain1.com" 
doesn't match subdomains.

- Of course you can adapt the extra parameters (a, ttl, whatever) to 
your liking.

More information about the amavis-users mailing list