DKIM signing for subdomain issue

email spf dkim opendkim

I am in an environment that sends emails from different sources. We're a Google Workspace environment as well.

The flow is as such: A user ([email protected]) in Gmail sends an email to an email group ([email protected]) that resides on our listserv (postfix) This group ([email protected]) is made up of Google users that reside in domain.tld When the email is sent from the listserv.domain.tld it arrives in Gmail with a "DKIM FAIL domain domain.tld" in the "View original" headers (SPF is configured properly and so it doesn't get flagged spam/phishing)

[email protected] -> email -> [email protected] (postfix server we control) -> sends [email protected] email to [email protected] subscribers (Google accounts that reside in domain.tld) -> DKIM fails domain domain.tld

Looking at the email data, the d=domain.tld and NOT d=listserv.domain.tld

So after extensive testing, I believe I have stumbled on WHAT I need to do to get this working, however I am not familiar with how to do it.

What to do: On the listserv.domain.tld server, use opendkim configure and generate the key/pair (done) On our DNS host, create listserv._domainkey.listserv.domain.tld with the above generated public key (done)

The issue I can't figure out is this: my assumption is that postfix/mailman/opendkim should take in the original email, and then sign it with it's own dkim private key then send it out to the members of [email protected] and when it arrives the email DKIM domain header SHOULD say "DKIM PASS domain listserv.domain.tld"

However, it's still saying "DKIM FAIL domain domain.tld"

If I send an email from the CLI of the postfix server to either [email protected] OR [email protected] the "DKIM PASS domain listserv.domain.tld" is present. So everything is configured correctly IF the email comes directly from @listserv.domain.tld and is not sent via/sent on behalf/sent from @domain.tld


A message can have multiple DKIM signatures, and normally they are all evaluated during message processing. Adding a valid signature with d=listserv.domain.tld does not change the fact that the existing signature for d=domain.tld is invalid after your mailing list makes modifications.

Google's summary display chooses one DKIM result to display and has probably prioritized the exact domain match over the subdomain. If you look at the actual message headers you should be able to see the results for each individual signature in the Authentication-Results header, similar to the following:

Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=bar header.b=VjtN0uuE;
       dkim=fail [email protected] header.s=foo header.b=e04DhOVX;
[...]

The only way to avoid an existing signature failing after message modification is to strip the signature off of the message. An invalid signature should not cause the message to be treated worse than a missing signature, so that may be an excessive amount of effort to fix a cosmetic issue with Google's method of summarizing authentication results.

Related

Detecting Windows Physical Console Logon
How to hide ticks label in python but keep the ticks in place?
Why can't I run ausearch (part of auditd) remotely over SSH?
IIS cannot serve images due to impersonation?
PHP Manager for IIS fails to install
Certbot (LetsEncrypt) on custom port (Nginx OR apache)
What would cause mysqlcheck to incorrectly report a table as undamaged?
Can't start apache in linux, because of proxy module
Windows Shared Storage / External SAS3 / JBOD
*tiny* SOHO fileserver upgrade recommendations in 2012? [closed]
How to continue the code on the next line in VBA
Is my server being hacked in?