3

What I am trying to achieve - Bottomline: mails to go in inbox rather spam folder.

I have a server which is running postfix (mail server) and I have 3 domains. Mail server is used for both incoming and outgoing mails..

I am signing with opendkim and have DNS records in place.

After a long observation, I've realized that messages are going in spam due to incorrect mailed-by and signed-by assignment.

consider, my mail server to be mailserver.example.com and 3 other domains are example1.com, example2.com and example3.com

when someone sends an email from admin@example1.com , it should display:

admin@example1.com via mailserver.example.com

mailed-by: mailserver.example.com

signed-by: example1.com

I have observed that mailjet and amazon emails hardly go into spam, the fact is, 'maybe' because the originating hostname / ip reverse resolves to what mailed-by and signed-by are.

Config files:

/etc/opendkim/Keytable

mvs._domainkey.example1.com example1.com:selc:/etc/opendkim/keys/example1_com/selc.private
mvs._domainkey.example2.com example2.com:selc:/etc/opendkim/keys/example2_com/selc.private

/etc/opendkim.conf

Domain          example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector        selc

Domain          example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector        selc

Canonicalization    simple
Mode            sv
Syslog                  yes
LogWhy                  yes
UMask                   022
UserID                  opendkim:opendkim
KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts
Socket                  inet:34562@localhost
X-Header        no

and finally

/etc/opendkim/SigningTable

example1.com selc._domainkey.example1.com
example2.com selc._domainkey.example2.com

Where am I missing?

Keval Domadia
  • 587
  • 5
  • 14
  • How does SPF come into this question? – MadHatter Dec 02 '13 at 10:27
  • By error. Edited. Do you have answer? – Keval Domadia Dec 02 '13 at 12:20
  • No, but if you'd wanted SPF guidance as well I'd've moved to close this question as being overbroad, plus SPF configuration questions are OT as duplicates of the canonical SPF question at http://serverfault.com/questions/369460/what-are-spf-records-and-how-do-i-configure-them/. – MadHatter Dec 02 '13 at 12:28
  • Yea... I read that answer whilst updating my spf stuff... However, am bit held up with DKIM... If u might know... I have this DKIM for example1 and example2 and when i generate for mail.example and submit that as DKIM it would fail the auth, which ... is logically self-explanatory but... any ideas? – Keval Domadia Dec 02 '13 at 13:30

1 Answers1

9

First of all, please remove these values (they aren't needed if you use KeyTable):

Domain      example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector    selc

Domain      example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector    selc

Setup your KeyTable like that:

mykey1 example1.com:recordname1:/path/to/domain.key
mykey2 example2.com:recordname2:/path/to/domain.key

Setup your SigningTable like that (note wildcard matching and mykey1 and mykey2 from KeyTable):

*@example1.com mykey1
*@example2.com mykey2

And finally change your opendkim.conf to include SigningTable via refile: prefix (regular expressions support):

SigningTable    refile:/etc/opendkim/SigningTable

And domain record for reference (note recordname1 and recordname2 from KeyTable):

recordname1._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
recordname2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."

Additionally, please, check if you have your node hostname (from which you are sending mail) in InternalHosts file:

server1.example1.com
server2.example2.com
mail.example1.com
mail.example2.com

Again, you can use refile: prefix to be able to add something like:

*.example1.com
*.example2.com

if you have multiple hosts and do not want to include all of them by hand. If you accept only local mail, you should add localhost here.

You should check log file for DKIM notices about skipping signing if your host is missing in the InternalHosts file.

Example of opendkim.conf:

# Set these values (Syslog, SyslogSuccess, LogWhy) for debugging and check syslog for details
Syslog      yes
SyslogSuccess   yes
LogWhy      yes

UMask       002
UserID      opendkim:opendkim

KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/mail/SigningTable
InternalHosts       refile:/etc/mail/hosts
GeekMagus
  • 497
  • 3
  • 12
  • Hey fantastic! Lemme try out... – Keval Domadia Dec 20 '13 at 18:11
  • mykey1 example1.com:recordname1:/path/to/domain.key mykey2 example2.com:recordname2:/path/to/domain.key mykey1 and mykey2 = DNS TXT record key names? – Keval Domadia Dec 20 '13 at 18:19
  • 1
    What is an `InternalHosts`. Rest all done... – Keval Domadia Dec 20 '13 at 18:24
  • You have included it in your opendkim.conf: InternalHosts /etc/opendkim/TrustedHosts This file contains all hosts for which messages will be signed. recordname1 and recordname2 are DNS TXT records. mykey1 and mykey2 are for internal usage, for example to link emails to specific keys – GeekMagus Dec 20 '13 at 18:28
  • UserID opendkim:opendkim KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList /etc/opendkim/TrustedHosts InternalHosts /etc/opendkim/TrustedHosts Socket inet:12345@localhost – Keval Domadia Dec 20 '13 at 18:29
  • my externalIgnreList and InternalHosts are same file... is that correct? – Keval Domadia Dec 20 '13 at 18:29
  • done... now I am getting Relay access denied - SMTP error 554 – Keval Domadia Dec 20 '13 at 18:32
  • Can you show an example file...? – Keval Domadia Dec 20 '13 at 18:33
  • Hi, I just tried that... it says mailed-by - example1, signed-by - example1... but I sending email via example2... – Keval Domadia Dec 20 '13 at 18:41
  • Are you sure what SigningTable is correctly configured? *@example1.com mykey1 <== *@example2.com mykey2 <== note mykey1 and mymkey2 – GeekMagus Dec 20 '13 at 18:48
  • yes... SigningTable is correct... Also, Gmail tells me, signed-by example.com but I want mailed-by to be the server from where emails are being sent... as in... we are hosted solutions... – Keval Domadia Dec 20 '13 at 18:52
  • ExternalIgnoreList is used to suppress LOG messages like "External host trying to send mail via our SMTP server" – GeekMagus Dec 20 '13 at 18:52
  • Do you have "dkim=pass" in message source (which come to your gmail)? Or dkim= neutral or fail? – GeekMagus Dec 20 '13 at 18:54
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/12088/discussion-between-greshnik-and-karmicdice) – GeekMagus Dec 20 '13 at 18:58