DKIM - exclude domain, not working

Hi folks


Ubuntu 18.04
Virtualmin 6.09.gpl
PHP version 7.2.31
Apache 2.4.29
Postfix 3.3.0

I’ve enabled DKIM and added the relevant TXT record at the Registrar and for the 1st mail enabled Virtual Server - outbound emails sign as expected.

I’ve created a 2nd Virtual Server - just HTTP & HTTPS, with no mail. It’s mail is hosted elsewhere.

A webpage has a contact form - it works, as in the email arrives in the yahoo inbox (for testing purposes). Looking at the headers - the message is DKIM signed.

I’ve gone into Virtualmin >> Email Settings >> DomainKeys Identified Mail and added the domain associated with this new Virtual Server in the “Never Sign for domains” field, clicked save and even reloaded\restarted Postfix for good measure.

Sending another email via the webform and examining the headers, it is still DKIM signed.

Any help\advice\pointers would be greatly appreciated.



/etc/opendkim.conf has the following lines:

Syslog yes
UMask 007

Domain /etc/dkim-domains.txt
KeyFile /etc/dkim.key
Selector 2020_v1

#Socket local:/var/run/opendkim/opendkim.sock ## Original Live entry
Socket inet:8891@localhost

PidFile /var/run/opendkim/

OversignHeaders From

TrustAnchorFile /usr/share/dns/root.key

UserID opendkim
SigningTable refile:/etc/dkim-signingtable
KeyTable /etc/dkim-keytable

All the comments have been removed in the above - just to shorten the post.

/etc/dkim-signingtable has

  • default

the above line says star(*) default.

and /etc/dkim-domains.txt

i.e. the FQDN of the server\VPS.

From reading the documentation on opendkim I am expecting that the entry for /etc/dkim-signingtable would not be (if I’ve added a domain not to sign for)

  • default

the above line says star(*) default.

because that means sign for everything. I’m going to alter the signing-table file to sign for the 1 (other) domain that is mail enabled and effectively ignore all other domains and see what happens, as a test, and see what happens. Always set it back if it goes weird.

If you add a domain to the field for ignoring in the DKIM form - should it not change the values in /etc/dkim-signingtable file?




I changed the value in /etc/dkim-signingtable from

* default


* default

restarted opendkim & Postfix for good measure. I sent a mail via the contact form on domain2 (the non mail enabled Virtual Server) and checking the headers in Yahoo, no trace of DKIM.

Sending an email from which is mail enabled and checking the headers, the email is DKIM signed.

So, is this a bug? i.e. entering a value in the ignore field on\in the DKIM form doesn’t change anything as /etc/dkim-signingtable continues to have the

* default

entry. Or have I made a mistake in setting up DKIM somewhere? The DKIM form has the following values:

Signing of outgoing mail enabled? - Yes
Selector for DKIM record name - mySelector
Reject incoming email with invalid DKIM signature? - No
Force generation of new private key? - No
Size of new DKIM key - 2048
Additional domains to sign for -
Never sign for domains -
DNS records for additional domains - Normal Looking Key (the Virtual Server) is not mail enabled - just HTTP & HTTPS.