Re: how to setup opendkim for signing all outgoing mails

From: Matthias Weiss <>
Date: Wed, 9 May 2012 11:01:58 +0200

Hi Murray!

> If the Sender field is always the same, then you can use that to make the
> signing choice.

It is. But we have a multisite webserver setup and I'm concerned that maybe
configuration will be set wrong in the future and we loose the Sender field.
If that happens we'll send unsigned mails and this will probably go unnoticed.
So I'd like to have a solution that doesn't rely on the Sender field.

> So you're on the right track with your use of
> SenderHeaders. Then, I suggest a SigningTable that reads:
> your-sender-address somekey
> ...and a KeyTable that reads:
> somekey signing-domain:selector:/path/to/signing/key

> This will sign all mail with a Sender: header field containing
> "your-sender-address" by adding a signature with a "d=" of
> "signing-domain" and an "s=" of "selector" using the private key found in
> /path/to/signing/key. It will sign everything this way, regardless of
> what's in the Sender: field.
> Let us know if that works.

Currently I'm using only the "SenderHeaders" option in opendkim.conf and that
is sufficient to have all mails signed.

If tried your suggestion, this is what I did:

SenderHeaders csl:Sender
KeyTable refile:/etc/opendkim/key_table
SigningTable refile:/etc/opendkim/signing_table


/etc/opendkim/signing_table: my_dk_specifier

I then send a mail with the postfix "sendmail" command specifying a bogus
Sender address "". When I use this I'm getting the log

May 09 10:48:12 [opendkim] 12A3F180E0: no signing table match for

When I comment out the SenderHeaders option opendkim uses the 'From' field and
also signs no mail because it doesn't find a domain key for the domain of the
'From' mail address.

Did I miss something?

best regards and thank you all for your suggestions!

Received on Wed May 09 2012 - 09:01:26 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:40 PST