3

I have 4 domains hosted on a single server. Should I use 4 separate dkim keys or one for all of them?

Also as far as selectors go do I need to use the one specified in opendkim.conf or can/should I create a new one per each domain with new key?

Marcin Kozyra
  • 33
  • 5

2 Answers2

5

I have 4 domains hosted on a single server. Should I use 4 separate DKIM keys or one for all of them?

Technically you can use the same key-pair to generate DKIM signatures for all the domains you host on the same mail server. That may be preferable when you host (many) different domains.

  • Publish DKIM record once in the DNS zone for your main domain i.e.
    dkim.example.net. 86400 IN TXT "k=rsa\; p=MIGfMA0GCSq...DAQAB\;"

  • For all your domains you'll need to use the same selector-name and set up domainkey DNS records such as:
    selector-name._domainkey IN CNAME dkim.example.net.

Then set up /etc/opendkim.conf:

KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable

In /etc/opendkim/KeyTable:

selector-name  example.com:selector-name:/etc/opendkim/selector-name.key

And in /etc/opendkim/SigningTable map every domain to that single key:

* selector-name

For a limited number of domains I usually generate unique key pairs (opendkim-genkey --domain=example.com --selector=20180717 --verbose) for each domain and maintain the opendkim KeyTable and SigningTable mappings.

In /etc/opendkim/KeyTable:

selector-name._domainkey.example.com  example.com:selector-name:/etc/opendkim/selector-name._domainkey.example.com.key
selector-name._domainkey.example.org  example.org:selector-name:/etc/opendkim/selector-name._domainkey.example.org.key

And in /etc/opendkim/SigningTable map every domain to its own key:

example.com selector-name._domainkey.example.com
example.org selector-name._domainkey.example.org
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • When generating new unique keys for domains do I need to use selector from openkim.conf? or can I have different selectors as long I specify them in signing and key tables? Im confused on why opendkim.conf has selector option in thereif they get specified in key and signing table. – Marcin Kozyra Jul 17 '18 at 18:31
0

I would suggest you to use different keys for different domains. You don't need to specify them with same Selector, as when KeyTable is used, Selector configuration parameter is not used.

vahem2lu
  • 1