OpenDKIM - DKIM-Signature field added - Different SELECTOR

S

s2r

I've set up OpenDKIM for a virtual domain. I've created the key using the selector as default. I've got other virtual domains that use s=mail. After sending an email using the server as SMTP I see in the logs the following line:

Jun 30 16:39:34 acme opendkim[3069]: 1AJ8C151533: DKIM-Signature field added (s=mail, d=myvirtualdomain.xyz)

I thought that the selector added to the header was added based on the signing table. Where is it set?

Here are my OpenDKIM configuration files:
opendkim.keytable
default._domainkey.myvirtualdomain.xyz myvirtualdomain.xyz:mail:/usr/local/etc/mail/keys/myvirtualdomain.xyz/default.private

opendkim.signingtable
*@myvirtualdomain.xyz default._domainkey.myvirtualdomain.xyz

Here's a DNS query:
Code: 
drill default._domainkey.myvirtualdomain.xyz TXT
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59336
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; default._domainkey.myvirtualdomain.xyz.    IN      TXT

;; ANSWER SECTION:
default._domainkey.myvirtualdomain.xyz.       86400   IN      TXT     "v=DKIM1; k=rsa; p=xxxxxxxxxxxxxxxxxxxxxxxxxxx"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 131 msec
;; SERVER: 207.192.69.5
;; WHEN: Thu Jun 30 20:00:39 2022
;; MSG SIZE  rcvd: 483
 
Sorry, I do not use KeyTable — AFAIK, it is suitable for many domains with complex configuration. Whereas in most cases it is sufficient simply to append an additional domain to the item named Domain in /usr/local/etc/mail/opendkim.conf:

Domain mx.mydomain.xyz, another.mydomain.xyz, myvirtualdomain.xyz

The same DNS TXT selector will confirm all letters sent by every domain you own and you are responsible for.
 
vienuolis said:
Sorry, I do not use KeyTable — AFAIK, it is suitable for many domains with complex configuration. Whereas in most cases it is sufficient simply to append an additional domain to the item named Domain in /usr/local/etc/mail/opendkim.conf:

Domain mx.mydomain.xyz, another.mydomain.xyz, myvirtualdomain.xyz

The same DNS TXT selector will confirm all letters sent by every domain you own and you are responsible for.
Click to expand...
But how would you differentiate different keys for each domain?
 
Yes, I had the same question, and did not find an explanation in docs, so I came up with it myself. Simply rename the same key for every domain appropriately: default._domainkey.myvirtualdomain.xyz, default._domainkey.mx.mydomain.xyz, default._domainkey.another.mydomain.xyz. Then upload them to your DN server.
 
Still not sure? Click my links to Steve Atkins' DKIM validator — it will check DN TXT records and will show you my key and its attributes for both domains, besides of conclusion.
 
I found the error. It was in opendkim.keytable the field before the path to the key. I copied the previous line.

default._domainkey.myvirtualdomain.xyz myvirtualdomain.xyz:mail:/usr/local/etc/mail/keys/myvirtualdomain.xyz/default.private
 
You must log in or register to reply here.
Back
Top