Saturday, May 26, 2018

How do I use OpenDKIM with multiple domain names on a single postfix server?

There's this guide, but it's kind of a pain in the ass. Too much heavy lifting for my tastes.

Here's a hacker trick nobody seems to mention online: In your opendkim.conf file, where you specify the domain, you can include multiple domains here, separated by commas.

Instead of
domain example.com
Just put
domain example.com,example.org,mydomain3.com
In your opendkim.conf file.

Upside: Super easy.
Downside: All domains have to share the same DKIM key, because there's only one DKIM key setting in opendkim.conf.

It works fine. Though you specify the domain name when creating a DKIM key, there's nothing in the key that is actually domain-specific. At scale, this is insecure. At the hobbyist level, where I've got three domains running on my one server that send a grand total of 50 emails a day, it's not a concern.

You can also put an asterisk (*) to wildcard the domain setting in opendkim.conf. However, I don't recommend this, because it will try to sign all mail for any domain, without checking to see if a DKIM public key actually exists for that domain. So if you send or forward any mail at all for any other domain, that mail will end up with a broken DKIM signature attached to it. An example where this will happen and be very bad for you is mailing lists. Some mailing lists rewrite the from address to use their own domain to bypass DMARC concerns, but not all do, and some only do it sometimes. So I strongly recommend against using a wildcard here.

No comments: