RE: Double signing with OpenDKIM

From: Murray S. Kucherawy <>
Date: Mon, 15 Aug 2011 11:09:19 -0700

It sounds to me like you want to sign customer email with a signature bearing your domain name, and your customers are fine with that.

In that case, you only need to tell OpenDKIM which domains belong to your customers and/or from which IP addresses such email will arrive. So first, set up a KeyTable like so:


Next, set up your InternalHosts table so that all IP addresses from which customer email arrives are included.

Finally, set up your SigningTable so that all customer email is signed with the above key. You can do that in one of two ways:

1) Just sign everything, if you think that's safe:

*_at_* key2011

2) Configure a SigningTable that does a lookup in some local database to find your customer domain list. OpenDKIM includes support for various SQL databases, LDAP, local Sleepycat DB files and local flat files.

Let us know if you need any other information.


From: [] On Behalf Of Jonathan Casco
Sent: Monday, August 15, 2011 6:40 AM
Subject: Re: Double signing with OpenDKIM

Sorry, I do not have an example message which I could use to show what it is that I am going for.

My situation is that we provide a hosted solution for mailing where the customers are insisting that their from addresses be used. We would still like to sign for them but not have an on-behalf-of be used. One of the problems here is that these customers can not modify their DNS records.

Thanks for your help once more, I really do appreciate it.
On Fri, Aug 12, 2011 at 6:15 PM, Murray S. Kucherawy <<>> wrote:
> -----Original Message-----
> From:<> [<>] On Behalf Of SM
> Sent: Friday, August 12, 2011 3:00 PM
> To: Jonathan Casco
> Cc:<>
> Subject: Re: Double signing with OpenDKIM
> Hi Jonathan,
> At 14:42 12-08-2011, Jonathan Casco wrote:
> >What I was looking to do was sign mail from a domain that is not
> >necessarily present in the from or sender headers.
> You can DKIM sign a message using a domain name which is not used in
> the "From:" or "Sender:" headers; see SigningTable in the opendkim.conf
> manual.
The SigningTable tells the filter which key(s) to use based on the determined message sender. That's based on the From: field by default, but you can use SenderHeaders to change that list.

It, however, doesn't have very complicated logic; it can't do multiple signatures based on different values, for example. You probably need the Lua extensions for that.

So, to help us point you at the right solution for you, can you show us an example message that shows the address(es) you want to extract, and what signature(s) you want to add for each?
Received on Mon Aug 15 2011 - 18:09:29 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST