Re: DKIM DNS subdomain setup

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 13 Jul 2012 00:46:43 -0700 (PDT)

On Fri, 13 Jul 2012, Nikolaos Milas wrote:
> Until now I am using the latter approach (only one DNS record) and I have not
> had any problems, but now mail from userx_at_tech.example.com is rejected by a
> particular domain, with the message:
>
> host remote.server said: 550 Message does not match its signature (in reply
> to end of DATA command)
>
> The remote server identifies itself as: ESMTP Exim 4.72
>
> Can you please shed some light on the above?

The domain rejecting with that message appears to be making the statement
that it expects the From: domain and the signing domain to be the same.
There's nothing in DKIM that requires this. This is an unfortunate local
policy decision by the recipient.

If you want to ensure they match, you could do something like:

- publish the main key record at default._domainkey.example.com

- publish CNAME (alias) records for each of your subdomains (e.g.,
default._domankey.tech.example.com) that refer to the main key record

- set up the SigningTable as you've done, with all entries pointing to a
common KeyTable entry

- set up the KeyTable with:

%:default:/path/to/private/key

"%" will be replaced with the From: domain when generating the signature.

Hope this helps!

-MSK
Received on Fri Jul 13 2012 - 07:47:03 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:41 PST