DKIM for "From" domain or MX domain?

Question

My server is handling mail for several virtual users and domains. The SPF records of the domains state that only the MX server is allowed to send mail (v=spf1 mx -all) and this MX server is a generic domain, so example.org and example.com have mail.example.net as MX. If I also want to implement DKIM, does each virtual domain needs its key in DNS and each outgoing mail must be signed using the domain's key, or does only the MX need a DKIM key and all outgoing messages, regardless which domain the From header states, is signed using the MX domain key?

Edit: Just to clarify, mails sent are From: bob@example.org, From: alice@example.com but are all sent via the server mail.example.net

score 2 · Accepted Answer · edited Oct 07 '21 at 07:59

2

You configure DKIM for a domain, not for an MX. Therefore, every domain must have a record for the selector, corresponding to the DKIM signature.

RFC 6376, 3.6.2.1. Namespace

All DKIM keys are stored in a subdomain named _domainkey. Given a DKIM-Signature field with a d= tag of example.com and an s= tag of foo.bar, the DNS query will be for
foo.bar._domainkey.example.com.

edited Oct 07 '21 at 07:59

Community

1

answered Jul 05 '17 at 08:01

Esa Jokinen

43,252
2
75
122

DKIM for "From" domain or MX domain?

1 Answers1