You are still top-posting please don't... See bottom for my reply... On 29 December 2017 at 06:21, Poliman - Serwis <ser...@poliman.pl> wrote: > But "signing domain" and domain in "From" will never be matched. Server has > own domain s1.domain.net. On this server are hosted few websites. These have > another domains than the server fqdn. In report from google I see fail in > dkim row but for IP of the server. I don't know why there is IP not fqdn. > > 2017-12-28 8:44 GMT+01:00 Dominic Raferd <domi...@timedicer.co.uk>: >> >> Please bottom post on this list (and see below) >> >> On 28 December 2017 at 07:05, Poliman - Serwis <ser...@poliman.pl> wrote: >> > For particular domain from report dkim works well. I checked it here >> > http://dkimcore.org/c/keycheck. Mails from this domain are sent by >> > s1.domain.net server. Should be dkim configured for domain name of the >> > server which corresponds to IP mentioned earlier? >> > >> > 2017-12-28 7:46 GMT+01:00 Poliman - Serwis <ser...@poliman.pl>: >> >> >> >> All is clear but how setup dmarc per IP address of the server if dmarc >> >> is >> >> based on spf and dkim which are based on particular domain? >> >> >> >> 2017-12-27 10:37 GMT+01:00 Dominic Raferd <domi...@timedicer.co.uk>: >> >>> >> >>> On 27 December 2017 at 07:22, Poliman - Serwis <ser...@poliman.pl> >> >>> wrote: >> >>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got >> >>> > report >> >>> > in xml on my mailbox. Attached. One from addresses has dkim failed - >> >>> > marked >> >>> > in orange... >> >> Setting spf should not be necessary if you are setting a dkim header >> correctly in all the outgoing emails for the domain in question. >> Indeed I would go further and say that setting an spf DNS record for >> your domain is inadvisable when testing dmarc because it can mask >> underlying dkim problems. >> >> In order to pass dmarc alignment testing, opendkim needs to insert >> into the outgoing email a dkim header with a signing domain (d=) >> matching the domain in the internal 'From:' header. The server name or >> ip that it has come from is irrelevant for dkim. >> >> If your mail passes dkim check-summing and dkim alignment when tested >> at its destination for dmarc, it will pass overall regardless of any >> spf (and vice versa).
There is no connection between ip/fqdn of the server and the signing domain for DKIM - see man opendkim. You set all the domains for which you want emails signed rather than verified in the 'Domain' setting in /etc/opendkim.conf e.g. Domain mydomain1.tld,mydomain2.tld,mydomain3.tld Use KeyFile to give the location of the file containing the private key to be used with all domains - and the matching public key must be published in their DNS. If you want to have different keys for different domains, use KeyTable/SigningTable rather than Domain/KeyFile - I haven't tried this. Refer to man opendkim.conf for more information. (Apologies to anyone who feels that the postfix mailing list is not the appropriate place to try to answer (or ask) these questions, there doesn't seem to be an opendkim mailing list...)
