Implementing Multi-Domain DKIM Signing with OpenDKIM: A Postfix Configuration Guide


39 views

When managing multiple domains on a single Postfix server, OpenDKIM requires careful configuration to ensure proper email authentication. Each domain needs:

  • Unique or shared DKIM keys
  • Proper DNS TXT records
  • Correct selector configuration

While technically possible to use a single key for all domains, this creates security and management issues:

# Not recommended (single key for all domains)
KeyTable /etc/opendkim/key.table
SigningTable /etc/opendkim/signing.table

The preferred approach uses separate keys for each domain:

# Recommended approach (separate keys)
KeyTable /etc/opendkim/keys/%{domain}/%{selector}.key
SigningTable /etc/opendkim/signing.table

Here's a complete multi-domain OpenDKIM configuration example:

# /etc/opendkim.conf
Syslog         yes
UMask         002
UserID         opendkim:opendkim

KeyTable       /etc/opendkim/KeyTable
SigningTable   /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts  /etc/opendkim/TrustedHosts

Canonicalization  relaxed/simple
Mode             sv
SubDomains       no
AutoRestart      yes
AutoRestartRate  10/1M
Background       yes
DNSTimeout       5
SignatureAlgorithm  rsa-sha256

Generate keys for each domain (example for domain1.com):

opendkim-genkey -b 2048 -h rsa-sha256 -r -s mail -d domain1.com
mv mail.private domain1.com.private
mv mail.txt domain1.com.txt

Repeat this for each domain, changing the domain name accordingly.

KeyTable file structure:

# /etc/opendkim/KeyTable
mail._domainkey.domain1.com domain1.com:mail:/etc/opendkim/keys/domain1.com.private
mail._domainkey.domain2.com domain2.com:mail:/etc/opendkim/keys/domain2.com.private
mail._domainkey.domain3.com domain3.com:mail:/etc/opendkim/keys/domain3.com.private

SigningTable file structure:

# /etc/opendkim/SigningTable
*@domain1.com mail._domainkey.domain1.com
*@domain2.com mail._domainkey.domain2.com
*@domain3.com mail._domainkey.domain3.com

For each domain, you need to create a TXT record. Using domain1.com as example:

mail._domainkey.domain1.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

The "p=" value comes from the domain1.com.txt file generated earlier.

Add these lines to /etc/postfix/main.cf:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Test your configuration with:

opendkim-testkey -d domain1.com -s mail -vvv

Send a test email and verify the DKIM signature using online tools like MXToolbox.

Implement key rotation by:

  1. Generating new keys with different selectors (e.g., mail2)
  2. Updating DNS records while keeping old records
  3. Updating KeyTable and SigningTable
  4. Gradually phasing out old keys

Remember to restart services after configuration changes:

systemctl restart opendkim postfix

When configuring OpenDKIM for multiple domains on a single Postfix server, you need to understand the concept of "selector-based key management". Each domain requires its own DKIM key pair and DNS TXT record, but you can manage them efficiently through proper configuration.

Generate separate keys for each domain (recommended for security isolation):

# Generate keys for domain1.com
opendkim-genkey -b 2048 -d domain1.com -s mail -r
mv mail.private domain1.key
mv mail.txt domain1.dns

# Generate keys for domain2.com  
opendkim-genkey -b 2048 -d domain2.com -s mail -r
mv mail.private domain2.key
mv mail.txt domain2.dns

# Generate keys for domain3.com
opendkim-genkey -b 2048 -d domain3.com -s mail -r  
mv mail.private domain3.key
mv mail.txt domain3.dns

Modify /etc/opendkim.conf with this multi-domain pattern:

# Basic settings
Syslog             yes
UMask             007
Canonicalization   relaxed/simple

# Domain and key configuration
Domain             domain1.com,domain2.com,domain3.com
KeyFile           /etc/opendkim/keys/%{d}/%{s}.key
Selector          mail

# Socket configuration
Socket            inet:8891@localhost

Create domain-specific directories and move keys:

mkdir -p /etc/opendkim/keys/domain1.com
mkdir -p /etc/opendkim/keys/domain2.com  
mkdir -p /etc/opendkim/keys/domain3.com

mv domain1.key /etc/opendkim/keys/domain1.com/mail.key
mv domain2.key /etc/opendkim/keys/domain2.com/mail.key
mv domain3.key /etc/opendkim/keys/domain3.com/mail.key

Add these lines to /etc/postfix/main.cf:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

For each domain, create a TXT record at mail._domainkey.yourdomain.com with the content from the corresponding .dns file. Example for domain1.com:

mail._domainkey.domain1.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

After restarting both services, test with:

service opendkim restart
service postfix restart

# Test email signing
echo "Test message" | mail -s "DKIM Test" recipient@example.com

Use online validators like dkimvalidator.com to verify signatures for each domain.

While not recommended, you could use a single key for all domains by:

1. Using one key file in opendkim.conf
2. Adding identical TXT records for each domain
3. Setting "Domain *" in opendkim.conf

This approach has security implications and may affect deliverability.