==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.2
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Debian 12.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have an iRedMail host configured with SPF, DKIM, and DMARC records for multiple domains. All DKIM records resolve correctly in the DNS. There are unique records for both the canonical hostname and for each virtual domain on the server. For example, each of these domains has its own DKIM record:

canonical hostname: mail.example0.com

virtual domain 1: example1.com

virtual domain 2: example2.com

Problem is that even though example1.com and example2.com have well-formed DKIM records in the DNS, the DKIM-Signature header for every outgoing message uses example0.com as the domain.

DKIM signature checking fails because the DKIM signature does not match the domain in the From: header.

For example, here are header excerpts from a message sent from example2.com:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example0.com;

..

From: Some User <user@example2.com>

Thus, DKIM alignment fails because the domain in the DKIM-Signature field ("d=example0.com") and the From field do not match.

How to configure iRedMail so each virtual domain uses its own DKIM record?

-----

Aside: I only discovered this after installing the dmarcts-report-parser package and the related dmarcts-report-viewer project. This revealed SPF or DMARC problems in a few emails, but every single message had a DKIM signature error.