Can I send from one domain, by using the signature from another domain?

From: Simon Paarlberg <>
Date: Wed, 23 Nov 2011 19:32:27 +0100


I have used a couple of hours on Google, trying to figure out how to
send signed mails from one domain using another. I hope someone here
can help me out.

Here is my setup:

I have a Postfix setup on a server with multiple domains. I have a
mail server called and three other domains called, and .

I use the, and as "From:"
address in my emails, but use in the Message-ID, the
Return-Path and for reverse IP for the domain name (

I have configured OpenDKIM so it works for "From:", but when I try to send using "From:", I get an error in my mail.log with the message:

Nov 23 18:19:07 s opendkim[18752]: DA3846510F3 no signing domain match
for `'
Nov 23 18:19:07 s opendkim[18752]: DA3846510F3 no signing subdomain
match for `'
Nov 23 18:19:08 s opendkim[18752]: DA3846510F3: no signature data

Which makes sense, since the DKIM-Signature does not hold the location
of the public key.

Here is my question: Can I use OpenDKIM to add ";;" to the DKIM-Signature, so I can send with
another "From:" address? I have seen this being done elsewhere, but I
can't figure out how I set it up -- or if it's "legal". Am I able to
do it OpenDKIM?

Hope I have posed the question so it is understandable -- also for
others with a similar problem.


From (mostly for others to search
for the solution)

   d= The SDID claiming responsibility for an introduction of a message
      into the mail stream (plain-text; REQUIRED). Hence, the SDID
      value is used to form the query for the public key. The SDID MUST
      correspond to a valid DNS name under which the DKIM key record is
      published. The conventions and semantics used by a Signer to
      create and use a specific SDID are outside the scope of this
      specification, as is any use of those conventions and semantics.
      When presented with a signature that does not meet these
      requirements, Verifiers MUST consider the signature invalid.

      Internationalized domain names MUST be encoded as A-labels, as
      described in Section 2.3 of [RFC5890].


      sig-d-tag = %x64 [FWS] "=" [FWS] domain-name
      domain-name = sub-domain 1*("." sub-domain)
                        ; from [RFC5321] Domain,
                        ; excluding address-literal

   i= The Agent or User Identifier (AUID) on behalf of which the SDID is
      taking responsibility (dkim-quoted-printable; OPTIONAL, default is
      an empty local-part followed by an "_at_" followed by the domain from
      the "d=" tag).
Received on Wed Nov 23 2011 - 18:33:02 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:21 PST