How to configure DomainKey/DKIM in Mavericks Server?

Hey Michael O. I wanted to answer another question you had:

"2. When making the entries for other virtual domain what is the syntax?"

They way I got this to work for my other domains was to simply add an additional dkim_key() entry in

amavisd.conf

For example: topicdesk.com indicates that "right below

$enable_dkim_signing

dkim_key('mydomain.tld', 'default', '/var/db/dkim/mydomain.tld.default.pem');
@dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

To add an additional virtual domain, using the same public/private key set, you would just add the following line after the first dkim_key() entry. For example, your results should look like this:

dkim_key('mydomain.tld', 'default', '/var/db/dkim/mydomain.tld.default.pem');

dkim_key('2ND_domain.tld', 'default', '/var/db/dkim/mydomain.tld.default.pem');

@dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

This assumes you've added the same DNS entries to the 2ND_domain.tld public facing domain and don't want to use separate keys for each domain. You can easily use multiple keys by doing steps 4.1 again and replacing 'mydomain.tld' with '2ND_domain.tld' instead. You'll also need to separately run

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys

which will show you all public keys for each dkim_key() entry you've made in amavisd.conf. You take the one for displayed for 2ND_domain.tld and add that to the public facing default._domainkey.2ND_domain.tld TXT record.

The prefix 'default' in the TXT entry can be anything and is what's referenced in the line:

dkim_key('mydomain.tld', 'default', '/var/db/dkim/mydomain.tld.default.pem');

If you wanted to use different keys for different processes, you can have multiple dkim_key() line entries with corresponding DNS TXT records. For example:

Config: dkim_key('mydomain1.tld', 'default', '/var/db/dkim/mydomain1.tld.default.pem');

DNS: default._domainkey.mydomain1.tld TXT "v=DKIM1; p=MCIIxe4L0

Config: dkim_key('mydomain2.tld', 'sales', '/var/db/dkim/mydomain2.tld.default.pem');

DNS: sales._domainkey.mydomain2.tld TXT "v=DKIM1; p=MCII-0dF78

Config: dkim_key('mydomain3.tld', 'techsupport', '/var/db/dkim/mydomain3.tld.default.pem');

DNS: techsupport._domainkey.mydomain3.tld TXT "v=DKIM1; p=MCII7ythq9

I'm watering things down a bit, but hope this helps!

-- Mike

Oh, is that why I had to use the Advanced configuration in the topic desk post to get amavisd to sign again? Could you elaborate on amassed needed to be fixed? Everything is working as expected for my server now. Running High Sierra with Server 5.4 - not a clean install. Thanks!

Mac Server on Sierra won't sign email with DKIM

amavsid needs to be fixed for your server to sign on any version after 5.2

Okay, so a little update now that I've spent the last 3 hours getting this to work on High Sierra with Server 5.4... To answer your question Michael O., you only need to have it setup on the public facing DNS. However, if you're hosting your internal DNS server on the same box as your mail server, it's a good idea to add the TXT entries to your respective zone db in /Library/Server/named/. This way, when performing the tests described by TopicDesk.com, you can verify that your configuration works. It's just double work when doing the DNS portion of the instructions, but worth it for testing. What Armand is summarizing is apparently very true, do not stop where the instructions seem to indicate you can stop, you must go forward with the Advanced configuration, which is actually a good general setup for most production servers. At least this was my experience, no singing would occur until the Advanced instructions were carried out. Helpful sites during testing: MX Toolbox's DKIM Test (If you followed the TopicDesk instructions, your selector is "default" without the quotes): https://mxtoolbox.com/dkim.aspx AdminSystem Software Limited's tools are fantastic. Click the Next Step key and you'll be given a test email to send to, and it will refresh with your headers analyzed: http://www.appmaildev.com/en/domainkey They also go on to describe how to use your personal Gmail account to verify DKIM sighing is taking place.

That is not working for me. Incoming mail is fine, but outgoing messages are not signed. Did you, perhaps, also change this:

# it is up to MTA to re-route mail from authenticated roaming users or

# from internal hosts to a dedicated TCP port (such as 10026) for filtering

$interface_policy{'10026'} = 'ORIGINATING';

I don't see where postfix is talking on 10026.

It seems that step: 5. Advanced configuration options

http://topicdesk.com/downloads/tutorials/160-implementing-domainkeys-dkim-on-os- x-10-8-x-mountain-lion-with-server-2-x

is required to get it working with Mavericks/Server 3.1.1. At least that did the trick for me. The comment at the start of the section that said it should already be working wasn't true for my particular set up.

Can someone add to this as to DNS entries and multiple domains. I read the topicdesk direction and want to get this going on my new OS X setup. I am ok with all the notes above but my public DNS is not hosted on my mail server. Rather then running a "split-horizon" setup I have my LAN DNS on the mail server and my WAN DNS on another mac-mini server currently running 10.6.8. So what I need to understand and know is:

1. Do the DKIM DNS Entries need to be on both servers or just the public/WAN one?

2. When making the entries for other virtual domain what is the syntax?

_domainkey.mydomain.tld TXT "o=~"

default._domainkey.mydomain.tld TXT "v=DKIM1; p=MIGfCSXUZqGSIb7DKI.-.-.-.-.-+43bMQIDAQAB"

Where mydomain = mail.qxxxxxn.com the FQDN of the mail server

For mydomainB = mail.qxxxxxn.net what goes in the .net Zone file?

?? default._domainkey.mydomainB.tld TXT "v=DKIM1; p=MIGfCSXUZqGSIb7DKI.-.-.-.-.-+43bMQIDAQAB" ??

Any other notes on this install would be helpful if you have done it in Mavericks, Thank you.