1

Topic: DKIM on relay server

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
We've implemented DKIM on our main system and works nice. But now I want to implement it aswell on our relay server, which is a seperate mail server for our servers to send mail.

So today, I already have a record for dkim._domainkey.mydomain.com which has an public key in it. To also allow the relay server, which has a different private key. Could I set the name for the relay record to relay._domainkey.mydomain.com in amavisd conf? And then add that record to the DNS with it's public key?

Best Regards
Radapompa

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: DKIM on relay server

I found this helpfull text  on "the internet".
-----
If you don't want to copy the certificate to all servers or you have another server signing the DomainKeys/DKIM with the key pair certificate not supported by EA DomainKeys, you can use different selector for different server.

For example, there have two server named “server1” and “server2”. On the first server (server1), " svr1" is used as the selector. On the second serve (server2), "svr2" is used as the selector. The two servers use different key pairs (certificate).

Two public key records should be deployed: deploy the first server public key to svr1._domainkey.yourdomain; deploy the second server public key to svr2._domainkey.yourdomain

When an email is sent from the first server, the email will be signed by the key pair (certificate) on this server and the receiver will query the public key from svr1._domainkey.yourdomain to validate the DKIM signature.

When an email is sent from the second server, the email will be signed by the key pair (certificate) on this server and the receiver will query the public key from svr2._domainkey.yourdomain to validate the DKIM signature.

This is how “selector” provide a solution for using different key-pair/certificates with the same domain on multiple servers.
----
More info:
https://stackoverflow.com/questions/326 … gle-domain

Verify your settings using : https://www.mail-tester.com/spf-dkim-check
or: https://mxtoolbox.com/dkim.aspx

3

Re: DKIM on relay server

Radapompa wrote:

Could I set the name for the relay record to relay._domainkey.mydomain.com in amavisd conf? And then add that record to the DNS with it's public key?

YES.