Setting DKIM signing by default on ALL Virtualmin servers

As a rule we have always run separate boxes to serve DNS, Email and Websites. My experience has been that if any have a problem, it is isolated to that issue instead of everything attached to a domain being down at once.

Larger email providers now REQUIRING that DMARC to be working on email (Yahoo and Hotmail to name two) sent through their servers or face rejection. In order for DMARC to work properly, the DMARC record along with BOTH a valid SPF and DKIM record must be present in the domain’s DNS settings. In order to mitigate email reception issues for the numerous reports, notifications, form outputs and so on from a website, the DKIM related to that site’s web server must be enabled on the site’s web server initiating those emails.

The Virtualmin control panel is the easiest I have seen to enable DKIM. That’s because it is generated on one place and used for all the domains on the server. When set up, it makes website notifications nearly always get through to email providers that require DMARC.

All that being said, I have run into one problem with DKIM on Virtualmin servers. Because we do not utilize email accounts for the domains on our Virtualmin servers, we must navigate to the Virtualmin > Email Settings > DomainKeys Identified Mail page below and add each domain for each site manually in the “Extra domains to sign for” text box as they are added to the box.

What I have experienced recently is that somehow that list gets cleared now and then. I suspect it happens as a result of updates. I do not go in and check if the list is in tact after updates, and I’d be surprised if after every update one would think to go and check every setting on the box. The blank “Extra domains to sign for” had 60-70 domains in it. I became aware of the issue inadvertently when seeing the “Unverifed” notification on email notifications coming from sites on that box into our email.

I think a solution is to add a radio button to tick on the page above that says:
O All domains
so ALL domains on the box are signed for by default if that what the system administrator needs. I believe this would solve the behavior I have experienced.

Is there any down side to being able to force all domains to be signed for by default?

Has anyone else run into this behavior?

as a minor clarification, my reading of Google’s new rules are:

if under 5000/day volume, you must have EITHER SPF or DKIM – and DMARC is optional

if over 5000/day, you must have all three

I am not sure what the Yahoo and Hotmail specific requirements and minimum volumes are.

Of course having all three never hurts !!

@charlesworks,

Any domain you add to the “Extra domains to sign for” field should NOT be removed unless you explictly remove them yourself.

This seems as if it may be a bug…

I’d recommend sending a PM to @staff with your findings so that the team can investigate whether this is a bug.

As have I. So I can identify with much of what you say, including the assessment that Virtualmin makes it easy.

I work around this by adding two (or more) DKIM records to the DNS records of a domain. For example, if vps01 is for web hosting for a domain and vps15 is for mail hosting for the same domain, I will add the DKIM records of both vps01 and vps15 to the DNS records of the domain. Doing so frees me up from manually adding anything to the “Entra domains to sign for” box. On my systems, this box is completely empty even though I have split the hosting into web and mail across different Virtualmin servers.

This approach has the advantage that the adding of DKIM records can be automated via the Virtualmin CLI - so no need to manually add domains to the extra domains box.

However if there is a bug that causes the list to disappear then it should be corrected.

But this already exists on that page … under “Domains to sign for by default”

The page I provided as a screenshot had 60+ domains in it. Later I discovered it blank after troubleshooting why I was receiving emails from websites on that server tagged “Unverified”. I have been copying the list of domains on the box and manually pasting that list into that box only to discover it blank at a later time.

It’s also far from convenient to have to manually add domain names in that box each time a domain is added to the box.

If having an additional tick choice “All domains” would solve the problem and be automatic when adding domains, I would agree there would be no reason to have the domains text box. Unless there is a situation where a domain was added that does not exist as a site on the box maybe.

In any event, they should just go away from the list.

My point here is that for DMARC to work, all three (SPF, DKIM and DMARC) must be set properly for the email’s originating server. Different providers have different requirements. I want email from our servers to reach as wide a list of providers as possible.

What are your tests showing?
I use a site like https://www.learndmarc.com/ to check everything works.
Emails from website should be using smtp settings, using php mail can cause rejections as it doesn’t authenticating the user.

Does this option work for you :

I have not had authentication issues, as the mail server the users would send their mail from is not on the website server. Email generated through PHP for website form output CMS notifications, to name two, have not given me authentication problems, so I have not had to deal with that.

No, definitely not. I do not use DNS on the box serving the websites or email. So DNS and EMAIL are disabled on WEBSITE boxes.

You could use this option with reduced zones for all of your domains. Webmin is configured in a way so it does not actually do local lookups for DNS queries like cpanel does but standard DNS lookups out to the internet

Also, does dkim not require DNS entries to be present in the DNS to work?

Yes, it requires the DKIM records in the DNS servers to work. The DNS servers for our sites are not on the same box as the websites.

How do you currently sync? Do you run a non public copy of bind on the VM server and push the zones to the other servers?

No, I set up DNS separately on boxes devoted entirely to that. Same with email.

But we digress, if an option existed to simply set DKIM up for all domains on the box, it would not matter how the system administrator sets it up. Right now one must manually add domain names as they are added for DKIM to work unless DNS is handled on the the web hosting box.

are you all green at mxtools? I presume so seeing you have 60 sites.

and then use dkim test

@stefan1959 the information above does not need to be blanked out as it is public on purpose

We are off on a tangent with the numerous ways of testing DKIM and no longer talking about automating Virtualmin DKIM implementation.

I’m looking for a solution that makes Virtualmin easier to use by adding a choice that does not currently exist: allowing Virtualmin to add DKIM to ALL DOMAINS as virtual servers (domains) are added (and presumably removed from the list when virtual servers are removed).

On my server they are, every domain I have adds a dkim signature.

Clarification:
When only the webserver and neither DNS or EMAIL are used on the virtual server box.