Re: proper syntax for SenderHeaders in opendkim.conf

From: <>
Date: Thu, 29 Jan 2015 09:45:57 +0100

On 29 janv. 2015, at 09:28, Murray S. Kucherawy <> wrote:

> On Thu, 29 Jan 2015, Patrick Proniewski wrote:
>> Config file options apparently work for now. But as Andreas wrote, the option I'm relying on is disappearing. The fact my use case scenario was covered by the README and an config option made me think my requirements are pretty common.
>> How does it work for this mailing list? I know from,subject and body are not altered so it won't break the subscriber DKIM signature, but the list server manage to add it's own valid signature too. That's what I want to achieve in the end.
> The machine running this list simply signs everything passing through it.
> Why do you want to treat list traffic differently from regular stuff?

I don't. I want to sign everything going out, but with basic settings, OpenDKIM refuses to sign emails with a From that is not in my own domain. That's why I applied settings described in opendkim README in the first place (signature based on Sender header).

Content of my SigningTable is the following:


but it yields to this kind of result for email sent by the list server:

... opendkim[50990]: 6DF13F81: no signing table match for ''
... opendkim[50990]: 6DF13F81: s=20120113 SSL error:04077068:rsa routines:RSA_verify:bad signature
... opendkim[50990]: 6DF13F81: bad signature data

Which is obviously right, according to my SigningTable. Am I supposed to sign "*" ?
("bad signature" is triggered by the list server tempering with subject and body, I'm aware of the issue, and it's going to be fixed)

LogWhy                 yes
Syslog                  yes
SyslogSuccess           yes
MilterDebug	4
Canonicalization	relaxed/simple
ExternalIgnoreList      refile:/usr/local/etc/opendkim/TrustedHosts
InternalHosts           refile:/usr/local/etc/opendkim/TrustedHosts
KeyTable                refile:/usr/local/etc/opendkim/KeyTable
SigningTable		refile:/usr/local/etc/opendkim/SigningTable
Socket                  inet:8891_at_localhost
ReportAddress           root 
SendReports             yes
AlwaysAddARHeader	yes
SenderHeaders		Sender,From
cat /usr/local/etc/opendkim/KeyTable
cat /usr/local/etc/opendkim/SigningTable
Received on Thu Jan 29 2015 - 08:46:13 PST

This archive was generated by hypermail 2.3.0 : Thu Jan 29 2015 - 08:54:02 PST