DKIM setup help needed

[MarcS1975]

I am running the following configuration and all works fine until I setup DKIM.

DMS domain = mail.mymailer.org
email accounts user1@mydomainABC.xyz
email accounts user2@mydomainABC.xyz
email accounts user2@mydomainDEF.xyz

MX records of mydomainABC.xyz and mydomainDEF.xyz point to mail.mymailer.org

I created DKIM keys for all 3 domains in DMS and copied the public keys into the DNS record of each domain.
Now from the documentation it is not very clear to me what I need to change. Maybe someone has a pointer.

I am getting the following DKIM log entries

Jan  7 06:38:31 mail opendkim[737]: 86C6342833: no signing table match for 'mailserver-report@mymailer.org'
Jan  7 06:38:31 mail opendkim[737]: 9EFAE42838: no signing table match for 'mailserver-report@mymailer.org'
Jan  8 11:01:54 mail opendkim[737]: 6300A43AB6: no signing table match for 'user1@mydomainABC.xyz'

I assume this is for outgoing mail and there seems to be a problem.

And some of these log entries:
I assume this is DKIM for incoming mail and the information seems to indicate that verification is ok but what does "not authenticated" mean? It seems to come up with every incoming sender.

7 23:52:09 mail opendkim[737]: 01DD543743: mail-out2.spamhaus.org [193.190.148.132] not internal
Jan  7 23:52:09 mail opendkim[737]: 01DD543743: not authenticated
Jan  7 23:52:09 mail opendkim[737]: 01DD543743: DKIM verification successful
Jan  7 23:52:09 mail opendkim[737]: 01DD543743: s=dkim2021 d=spamhaus.org a=rsa-sha256 SSL 
Jan  8 01:09:42 mail opendkim[737]: 39D88438A6: [140.228.64.37] [140.228.64.37] not internal
Jan  8 01:09:42 mail opendkim[737]: 39D88438A6: not authenticated
Jan  8 01:09:42 mail opendkim[737]: 39D88438A6: DKIM verification successful
Jan  8 01:09:42 mail opendkim[737]: 39D88438A6: s=mail d=xmail44.win a=rsa-sha256 SSL 
Jan  8 02:47:28 mail opendkim[737]: A4F4E438FD: ny5mailsrv6.interactivebrokers.com [64.190.196.108] not internal
Jan  8 02:47:28 mail opendkim[737]: A4F4E438FD: not authenticated
Jan  8 02:47:28 mail opendkim[737]: A4F4E438FD: DKIM verification successful
Jan  8 02:47:28 mail opendkim[737]: A4F4E438FD: s=ibkr-selector1 d=interactivebrokers.com a=rsa-sha256 SSL

[polarathene]

what does "not authenticated" mean

It may refer to authenticated submission? Which is not the case over port 25 (receiving public mail from external MTAs).

You may want to compare to the equivalent rspamd support which is eventually intended to become a default and replace opendkim among other services. Other mail-server projects already use rspamd.

The signing tables should be configured when using the setup ... CLI we provide, here is the related script:

docker-mailserver/target/bin/open-dkim

Lines 158 to 168 in aba218e

	# write to SigningTable if necessary
	SIGNINGTABLEENTRY="*@${DKIM_DOMAIN} ${SELECTOR}._domainkey.${DKIM_DOMAIN}"
	if [[ ! -f /tmp/docker-mailserver/opendkim/SigningTable ]]; then
	_log 'debug' 'Creating DKIM SigningTable'
	echo "*@${DKIM_DOMAIN} ${SELECTOR}._domainkey.${DKIM_DOMAIN}" >/tmp/docker-mailserver/opendkim/SigningTable
	else
	if ! grep -q "${SIGNINGTABLEENTRY}" /tmp/docker-mailserver/opendkim/SigningTable; then
	echo "${SIGNINGTABLEENTRY}" >>/tmp/docker-mailserver/opendkim/SigningTable
	fi
	fi
	done < <(_get_valid_lines_from_file "${DATABASE_VHOST}")

I don't have time unfortunately to look further into that for you, but it may be the project still has some legacy assumptions on the happy path of a single mail domain shared with the DMS hostname.

Our test suite only covers the two (opendkim + rspamd) DKIM generation scripts are working correctly. No networked containers with DNS records setup yet, we're rather reliant upon community contributions to improve on areas like this.

[MarcS1975]

You may want to compare to the equivalent rspamd support which is eventually intended to become a default and replace opendkim among other services.

thanks - so if I use rspamd in DMS, do I somehow have to switch off DKIM and generate new keys via rspamd or will rspamd use the keys I generated with DKIM?

No networked containers with DNS records setup yet, we're rather reliant upon community contributions to improve on areas like this.

My DNS records are correct. I have tested those with multiple external test sites. Its definitely my DMS settings that I need to tweak.

[polarathene]

if I use rspamd in DMS, do I somehow have to switch off DKIM and generate new keys via rspamd or will rspamd use the keys I generated with DKIM?

I don't work on that area but from what I understand the current implementation stores keys at a different location. Technically they should be compatible other than that.

May just be easier to generate new keys and update the DNS records if that seems easier?

The docs should cover switching to rspamd other than that. Opt-out of opendkim with ENABLE_OPENDKIM=0 and opt-in to rspamd as per the docs.