This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DKIM - multiple domains?

It's not unusual to have your mail server serve multiple domains. However, each domain has it's own unique settings eg spf records etc.

Although the UTM supports DKIM, the RSA key for each domain will be different so I'm wondering how to set this in the UTM? I can set it for one domain but can't find a way to set it for multiple domains as DKIM only shows under the advanced tab and not the smtp profiles.



This thread was automatically locked due to age.
  • Louis,You can only have a single DKIM record in the UTM - more would be a feature request at http://feature.astaro.com.

    However, you can configure multiple domains to use the unique DKIM as explained in my KnowledgeBase article, DKIM Setup using Windows OpenSSL.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, the link you sent still refers to the Sophos UTM which will only take one DKIM.

    Would I be right in thinking that you supply the DKIM's into the authoritative Domain/DNS servers along with identifiers etc and just leave the UTM blank?

  • Yes, you only use a single DKIM in the UTM.  In the domains you'll be sending for, add the same records to each DNS configuration as outlined in the article.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, I'm having the same problem here.  I read your knowledge base article.

    You say to put the same record on each domain's dns, but each domain has a unique key, because their domain names are different.

    I can't put domain1's public key on domain2, can I?

    I've been at this for 2 days and cannot get it to work with multiple domains.

  • OK, I realize now why people are confused.  Thanks for helping me understnd, guys.

    When the Proxy inserts the DKIM header, it uses the domain in the sender's name, not the domain in the hostname of the UTM.  There is only one DKIM key per UTM and that's all that's needed.  Just because I used the "main" domain name doesn't mean that the private and public keys contain or reveal any information about a specific domain.

    In my instructions, I was thinking about how to keep DKIMs straight for multiple clients.  That's why I chose the naming convention I did.  You can name them whatever you want, like privatedkim and publicdkim, and then use the public key contents for a DNS record in every domain you send for.

    I'll see if I can get the KB article changed to remove confusion.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    just to clarify in laymans terms.......

    you can create a DKIM private & public key for say a dummy domain

    You then insert the private key into the UTM and then the SAME public key into the DNS servers of the domains you manage which are sent by that UTM?

  • Actually, the public DKIM key is tied to the private key and not to any domain at all.  If I were lazy, I could put the same private DKIM key on each of my clients' UTMs and have them add the public key in their public DNS.  As long as one of them wasn't trying to spoof another's domain, then no one would be the wiser! [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That's what I was thinking too from your reply. So it's basically a private and public key not really tied to anything apart from each other.

    That totally clears it up

  • The reason I was confused was that I used a DKIM key generator, and it had me enter the domain name.

    I checked, and the 3 keys I created with different domains, were each different.  Not sure what it is doing with the domain name.

    I tested by putting  the wrong domain key with another domain and it worked.  So I threw out the last 2 keys and just used the first one for all three.

  • Same here. Because you use a DKIM generator (and lets face it, most will), it gives you the impression that it's tied to a domain name.

    It is to a degree (with the generator) because the generator will use that string to make the key and as we have discovered, making a DKIM key with 3 different domain names will result in 3 different DKIM keys

    But you can use any of those keys with any of your domains as long as the private key matches up with the public key.

    So back to the original question:

    1. generate your ONE private & public DKIM key (tied to any domain you like or even a non existent one)
    2. place the private key in the UTM
    3. place the public key into EVERY domain dns that you manage on the UTM