Hello Matt,
without going in the details of your email, try coding the logic in Lua:
http://www.opendkim.org/opendkim-lua.3.html
It is supposed to satisfy any wish. In case it does not, propose how the Lua interface shall be enhanced.
Regards
Дилян
On Fri, 2019-02-15 at 09:29 +0000, Matt Churchyard wrote:
> Hello,
>
> I’m trying to set up an outbound relay for a customer who sends email notifications on behalf of many customers.
> Generally speaking I’m taking inspiration from the way large services like MailChimp work.
>
> To begin with, I’m rewriting the envelope sender to sender_at_cust-generic-domain to pass standard spf checks and allow bounces to be caught. Currently they just use the customers email address which means they can’t process any bounces, and trying to get them to update their software to use a different envelope sender was going nowhere.
>
> Now, I would also like to use DKIM, but it seems the signature needs to match the from header. Looking at sample MailChimp emails, they have a d=mydomain.com signature, and at some point I’ve created a k1._domainkey.mydomain.com CNAME that points to their public key.
>
> As such I could do with a way of signing everything that goes through opendkim, using a single selector, but using the domain name from the email.
> Currently I have the following signing-table –
>
> * my-dkim-key
>
> I know that opendkim is looking for the original sender address here, as I originally just used *_at_cust-generic-domain on the left here, but opendkim was complaining that it couldn’t find a signing table match for sender_at_mydomain.com. So when it’s signing, it is using the correct address that I need the signature created for –
>
> However, my key-table looks like this, which obviously sets the d= field to cust-generic-domain
>
> my-dkim-key cust-generic-domain:some-selector:/path/to/key
>
> Really I need some way of configuring that first column to just use the domain from the email address it is signing for, or maybe a completely different configuration.
> I’m not sure if this is currently supported by opendkim though?
>
> Unrelated, but the only other thing I’m not sure of is how they handle key rotation. This setup allows the customer to only make one dns change and gives me control over the public key record, but I can’t create a new key whilst keeping the old one active. I guess the only real solution there would be to get two CNAME records created for k1 & k2, then alternate between them every so often.
>
> Regards,
> Matt Churchyard
Received on Sun Feb 17 2019 - 14:01:08 PST