help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

Multiple Domains with DKIM

Dominic -

PROBLEM

I want to use multiple DKIM's with multiple domains on my mail server.

ENVIRONMENT

  • On-Premise Server + WebMail Installations: Version 7.0 > Current Version

CAUSE

The Web admin page only allows one domain with DKIM to be specified.

RESOLUTION

WARNING
These changes are to the back end of the server only. Every time "save" is pressed from the Web Admin->Services->SMTP (where the dkim settings are), the front-end will populate the back-end with what ever values are currently present. It will therefor overwrite any custom configurations that have previously been entered. Please be mindful when implementing this.

For this explanation, example1.com and example2.com will be the domains used throughout the document. Please note, management of multiple DKIM's will not be accessible from the Web interface. It is however recommended you have DKIM 'ON' and provide details for ONE of your domains to satisfy the web page requirements on Web Admin->Services->SMTP settings page.

  1. Create a new dkim directory within your atmail server.
    % mkdir /usr/local/atmail/mailserver/ssl/dkim
  2. Change into the new dkim directory and create your public and private keys for your domains:
    % cd /usr/local/atmail/mailserver/ssl/dkim
    % openssl genrsa -out example1.com-private.pem 1024 -outform PEM
    % openssl rsa -in example1.com-private.pem -out example1.com.pem -pubout -outform PEM
    % openssl genrsa -out example2.com-private.pem 1024 -outform PEM
    % openssl rsa -in example2.com-private.pem -out example2.com.pem -pubout -outform PEM

    To avoid confusion with the .pem files, create a pub (public keys) directory and move the .com.pems into it.

    % mkdir pub ; mv example1.com.pem example2.com.pem pub/
  3. Change ownership of files and directory to atmail
    % chown -R atmail:atmail /usr/local/atmail/mailserver/ssl/dkim/*
  4. DKIM requires a TXT record that is to be published in the domains DNS records. A TXT record in regards to DKIM requires two fields: a name/selector field, and a text/value field. A common practice is to use the date for the 'selector' that is associated with the domain.

    For example, a selector of 20160321, used with our example1.com domain, the entry should look like the following:
    % 20160321._domainkey.example1.com

    The TXT record uses the public key you made earlier to populate the 'p=' field. Open your domains public-key file with any editor of your choice. The entire file will look like the following:

     % vim example1.com.pem 
    -----BEGIN PUBLIC KEY-----
    MIGfMA0CGSqGSIb3DQEBAQUAA4GNADCBiQKBgQDecXeuzMCtnWstzeQ3Rtib3Qm4
    7BAtzDuNai+ybuDin7sGzCpa9ukrtWTzRejWwfPWO6UgCaCrM1NqCnt2xt0v6Rrh
    Um1ufHCtpuFAYJ9ubdcxdyo/Xwv2tAa5K748YzuIAI3fio8RFQ3flKJowCsg9wDj
    CSvjUm3NMPfebeR9PwIDAQAB
    -----END PUBLIC KEY-----

    A python script 'dkim_txt.py' can be found at the bottom of this page (Not compatible with python 3 or greater). To use it, run:

     % python dkim_txt.py example1.com.pem

    This will create a file containing the correct format for your DNS TXT record.

    Otherwise carefully manually remove the header, footer and any line breaks as the TXT record must be submitted as a single line as per below.

     % 20160321._domainkey.example1.com IN TXT "v=DKIM1 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi65c5K5Pp7bh/T7icab1v0fLQ7sfqNVWezBqhgljfVbH3Nn6nhVW+1l4tAPJUmSssssqFfL+Nx8D1YsPdzralcoMLp0Y3zRLCRBJ9dfgnBJmMwCp+IBW8MjGZa11OV8nIUBp0goG0NDS4UTDmtmecRRS0eWer3fA03ooRQgXRpwIDAQAB"
  5. Update your domains DNS records to replicate something like the following:

  6. Verify your DNS TXT record is working using the following: https://www.mail-tester.com/spf-dkim-check

  7. Next edit /usr/local/atmail/mailserver/configure. First, Find:
    #Optionally sign outgoing messages with a selected DKIM key
    dkim_domain=domain.com
    dkim_selector=mail
    dkim_private_key=/usr/local/atmail/mailserver/ssl/private/dkim.key
    
    Change to:
    #Optionally sign outgoing messages with a selected DKIM key
    dkim_selector=20160322
    dkim_domain=${sg{${lc:${domain:$h_from:}}}{^www\.}{}}
    dkim_private_key=${if exists{/usr/local/atmail/mailserver/ssl/dkim/${dkim_domain}-private.pem} {/usr/local/atmail/mailserver/ssl/dkim/${dkim_domain}-private.pem}}
    
    Please make sure the paths to /dkim are correct and that the dkim_selector= the name of your selector you have chosen for your DNS TXT records.
  8. Restart Atmail services for the configuration to take affect.
    % /etc/init.d/atmailserver restart
  9. To test DKIM, send an email and verify by inspecting the headers:
Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com