My server doesn’t run BIND. It has a master domain for me and hosts 3 other domains (virtual servers). All DNS entries are at the DNS control panels of the relevant registrars. All the Virtual Server domains have an SPF record “allowing” the server’s IP to send their mails. rDNS has been setup so the IP points back to the master domain\host.
My Virtualmin server has no issues but I think it’s time to setup DKIM - but before I start “tinkering” with a live server, I’m hoping someone can sanity check things for me?
Correct. This is via Virtualmin >> Email Settings >> DomainKeys Identified Mail
Correct. When virtual servers are created, Virtualmin takes care of its configuration if DKIM has already been enabled on the system. You do not need to manually add domains to the text area captioned ‘Additional domains to sign for’.
Year is meaningless. I use the hostname, e.g. vps01, so the DNS record looks like vps01._domainkey.domain.com and in future if I migrate domain.com to vps02, this naming system offers me the advantage of two simultaneous DKIM records in the DNS for that domain. If you use 2020, you might have a collision with another server to which you are migrating the domain.
Correct. Some DNS management interfaces (AWS Route 53) want long DNS records broken up like this:
One more question (LOL) - if DKIM is enabled globally, do all the Virtual Server domains need the TXT record adding at the Domain Registrar DNS control panels at once?
What I am asking in essence is if DKIM was enabled globally and 2 out of 3 Virtual Servers (domains) had the TXT record added to the domains (at the Registrar DNS panels) and 1 Virtual Server had the DKIM TXT recorded it added some days later - would that 1 domain experience issues? Is it a do them at once or can you stagger it?
If it’s a do them (existing Virtual Servers\domains) at once - I assume best to make the changes late one weekend evening giving DNS propagation the chance to take place?
If virtual servers exist in Virrualmin before you enable DKIM then Virrualmin will configure each existing virtual server to use DKIM, as part of the DKIM install process. We should thank the Virtualmin devs for being thoughtful enough to save us the bother of manually configuring potenrially hundreds of virtual servers by including this functionality.
I have never had to remove DKIM but I suspect that disabling it via the Virtualmin interface should trigger a routine which will cause virtual servers to disassociate with DKIM and revert to their original state. Maybe someone can confirm?
When DKIM is enabled, outgoing email will be ‘signed’ and DKIM keys included in the headers of outgoing email. This is universal and true for all outgoing email for all virtual servers, aliases etc. sent from the Virtualmin server.
I think, though I am not sure, if dmarc is enabled for a domain then you must have DKIM fully implemented: email signed + DNS records configured for email to be accepted as valid by the servers which receive your email. So to answer your question, your single domain should not have trouble with mail provided you set the dmarc policy correctly. A ~ or ? at the end instead of a dash, if memory serves.
You will have to enable BIND, of course, before Virtualmin lets you enable DKIM. I had assumed that this was clear but in case it is not: you do need BIND running locally for Virtualmin to enable and configure DKIM.
In the original post, I referred to where you helped the other poster, you posted
Yes and no: when you enabled DKIM under Virtualmin --> Email settings --> DomainKey Identified Mails, Virtualmin added the DKIM record to the DNS of each domain listed in the install of BIND running on your Virtualmin server. However @Saahib as you are manually managing on a third party DNS server the DNS records for the domain(s) served by Virtualmin, you must take the additional step of manually updating the third party DNS server with the DKIM record for each domain. Note that for those who use Virtualmin’s DNS server, which is the default option, this manual management of DKIM records is not necessary.
That read for me as - BIND doesn’t need to be enabled if you are using 3rd Party DNS Panels etc.
I’ve not had BIND enabled since the server was installed\configured and I’d rather not enable it - one more thing to get to grips with LOL.
I think I might bring another VPS to life - had planned to move from Ubunto 16 to 18 anyway - so might be an opportune time to have a try on a server that isn’t live.
Virtualmin does not need BIND installed to generate SPF records and I imagine that it is possible for Virtualmin to generate DKIM records without BIND installed. However, Virtualmin does need BIND installed to permit the DKIM feature to be enabled, the last time I checked.