DKIM Setup Questions

My server doesn’t run BIND. It has a master domain for me and hosts 3 other domains (virtual servers). All DNS entries are at the DNS control panels of the relevant registrars. All the Virtual Server domains have an SPF record “allowing” the server’s IP to send their mails. rDNS has been setup so the IP points back to the master domain\host.

My Virtualmin server has no issues but I think it’s time to setup DKIM - but before I start “tinkering” with a live server, I’m hoping someone can sanity check things for me?

I’ve found the following post - Need help about DKIM concept & setup

My take on what the above post says is,

  1. enable DKIM (it’s at the global level)
  2. no need to add the Virtual Server domains in the Additional Domains field
  3. label the key with something meaningful like the year in it,
  4. take the generated Key and apply a TXT record at the DNS control panel for each Virtual Server domain [it will be the same key]
  5. if I add any more Virtual Servers (& domains) - add the same TXT record at the relevant Domain Registrar’s DNS panel.

Does the above seem correct?

Many Thanks

Dibs

Correct. This is via Virtualmin >> Email Settings >> DomainKeys Identified Mail

Correct. When virtual servers are created, Virtualmin takes care of its configuration if DKIM has already been enabled on the system. You do not need to manually add domains to the text area captioned ‘Additional domains to sign for’.

Year is meaningless. I use the hostname, e.g. vps01, so the DNS record looks like vps01._domainkey.domain.com and in future if I migrate domain.com to vps02, this naming system offers me the advantage of two simultaneous DKIM records in the DNS for that domain. If you use 2020, you might have a collision with another server to which you are migrating the domain.

Correct. Some DNS management interfaces (AWS Route 53) want long DNS records broken up like this:

 "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5iUXsdYFAKne/"
	"qncNIGPOWJmApXZr+tmf4sEIudFl4hpY0KWLUQLZ7IqyB1dH6Mb60we3y1TkoOksXbOtBLIrfjp5DFI2"
	"KzvaQOGkTxMOSPF4J7gq98BmgdeActNli64WMZ0aOxXdePsslo6lmkenj+6Lz70QuUk0J/O7qZp4fWVp"
	"u560NkJ2AYvAGvRAVkdknm4ZdE8OukLH3K3lM+EnVv/o7Y5YgU1+40KfV2Z8rauVHpONJcNciw9YwLZh"
	"KLTefGUVj1F7IN5LvZNbZKz7zZitDGesVYDIbr4D20j6MGj+sGXBVOZQ8YBOOZSZnGKL5oFOKCAmbu9x"
	"ln3jpj9+QIDAQAB" 

Others are happy with this:

v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5iUXsdYFAKne/qncNIGPOWJmApXZr+tmf4sEIudFl4hpY0KWLUQLZ7IqyB1dH6Mb60we3y1TkoOksXbOtBLIrfjp5DFI2KzvaQOGkTxMOSPF4J7gq98BmgdeActNli64WMZ0aOxXdePsslo6lmkenj+6Lz70QuUk0J/O7qZp4fWVpu560NkJ2AYvAGvRAVkdknm4ZdE8OukLH3K3lM+EnVv/o7Y5YgU1+40KfV2Z8rauVHpONJcNciw9YwLZhKLTefGUVj1F7IN5LvZNbZKz7zZitDGesVYDIbr4D20j6MGj+sGXBVOZQ8YBOOZSZnGKL5oFOKCAmbu9xln3jpj9+QIDAQAB

Correct.

@Calport - really appreciate the reply.

One last (hopefully) question - if the Virtual Servers already exist, there won’t be any issues if I follow the process already discussed?

And if I remove the TXT entries and disable DKIM - everything reverts back to how it was?

Thanks

Dibs

One more question (LOL) - if DKIM is enabled globally, do all the Virtual Server domains need the TXT record adding at the Domain Registrar DNS control panels at once?

What I am asking in essence is if DKIM was enabled globally and 2 out of 3 Virtual Servers (domains) had the TXT record added to the domains (at the Registrar DNS panels) and 1 Virtual Server had the DKIM TXT recorded it added some days later - would that 1 domain experience issues? Is it a do them at once or can you stagger it?

If it’s a do them (existing Virtual Servers\domains) at once - I assume best to make the changes late one weekend evening giving DNS propagation the chance to take place?

Thanks

Dibs

Glad I could be of help, @Dibs.

If virtual servers exist in Virrualmin before you enable DKIM then Virrualmin will configure each existing virtual server to use DKIM, as part of the DKIM install process. We should thank the Virtualmin devs for being thoughtful enough to save us the bother of manually configuring potenrially hundreds of virtual servers by including this functionality.

I have never had to remove DKIM but I suspect that disabling it via the Virtualmin interface should trigger a routine which will cause virtual servers to disassociate with DKIM and revert to their original state. Maybe someone can confirm?

Now this is a tricky one.

When DKIM is enabled, outgoing email will be ‘signed’ and DKIM keys included in the headers of outgoing email. This is universal and true for all outgoing email for all virtual servers, aliases etc. sent from the Virtualmin server.

I think, though I am not sure, if dmarc is enabled for a domain then you must have DKIM fully implemented: email signed + DNS records configured for email to be accepted as valid by the servers which receive your email. So to answer your question, your single domain should not have trouble with mail provided you set the dmarc policy correctly. A ~ or ? at the end instead of a dash, if memory serves.

You will have to enable BIND, of course, before Virtualmin lets you enable DKIM. I had assumed that this was clear but in case it is not: you do need BIND running locally for Virtualmin to enable and configure DKIM.

@calport - I appreciate the reply.

Thinking it thru further - probably best do all the domains (add TXT records) in one go and late on Saturday night for DNS to have propagated by Sunday morning. :wink:

Dibs

In the original post, I referred to where you helped the other poster, you posted

Blockquote
Yes and no: when you enabled DKIM under Virtualmin --> Email settings --> DomainKey Identified Mails, Virtualmin added the DKIM record to the DNS of each domain listed in the install of BIND running on your Virtualmin server. However @Saahib as you are manually managing on a third party DNS server the DNS records for the domain(s) served by Virtualmin, you must take the additional step of manually updating the third party DNS server with the DKIM record for each domain. Note that for those who use Virtualmin’s DNS server, which is the default option, this manual management of DKIM records is not necessary.

That read for me as - BIND doesn’t need to be enabled if you are using 3rd Party DNS Panels etc.

I’ve not had BIND enabled since the server was installed\configured and I’d rather not enable it - one more thing to get to grips with LOL.

I think I might bring another VPS to life - had planned to move from Ubunto 16 to 18 anyway - so might be an opportune time to have a try on a server that isn’t live.

Thanks

Dibs

Virtualmin does not need BIND installed to generate SPF records and I imagine that it is possible for Virtualmin to generate DKIM records without BIND installed. However, Virtualmin does need BIND installed to permit the DKIM feature to be enabled, the last time I checked.

Why that is, only the Virtualmin Gods can say.

@calport

If I enable BIND but don’t actually “use” it - is there any likelihood of anything going sideways?

Thanks

Dibs

Nah, BIND will sit quietly on the server without bothering you or anything else but it will claim a bit of your precious RAM.

1 Like

A note for anyone reading this in the future.

DKIM works and doesn’t require BIND installed\running or DNS to be enabled for a Virtual Server - assuming the DNS entries are external (done at the Registrar’s control panel.

Virtualmin will generate the key\s and you manually have to add the TXT record in the DNS control panel (external).

HIH someone.

Dibs

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.