DKIM is driving me nuts

Chris Gordon freebsd at
Mon Sep 3 20:44:15 UTC 2018

The values in the SigningTable do this mapping. The opendkim.comf man page talks about this, but it can be really confusing until you see it all pieced together.  First, you can use the same key to sing all mail from your domain, so you don’t have to create a different key for each host.  

Here’s what I have (edited for your domain) and assuming you want to use the same key for everything in

- In /usr/local/etc/mail/opendkim.conf, I have the following settings, among others -- mostly defaults:
SigningTable  refile:/usr/local/etc/mail/signing_table
KeyTable      file:/usr/local/etc/mail/key_table

- /usr/local/etc/mail/signing_table should have:


- Then in /usr/local/etc/mail/key_table, you have:

The SigningTable matches the domain to value on the right hand side.  Then looks up that value in the KeyTable to get the path to the key to use to sign.  There may be other ways to do this (I actually sign a couple of domains with different keys, so I have more lines in my to table files) and it’s been a while since I set it up, so I’m a bit rusty and may have something a bit off.

Hope that helps.


> On Sep 3, 2018, at 3:34 PM, William Dudley <wfdudley at> wrote:
> I have an SPF record.
> That is not the problem.
> The problem is that the server has three names:
> and I cannot figure out how opendkim chooses which key
> to use to sign emails.  Does it look at Message-Id?  Does it look
> at Reply-to: (unlikely) ?  Whatever field it uses, changes depending
> on if I use Thunderbird, Mail (mailx), or the mailman listserve to send
> the email.
> Thanks,
> Bill Dudley
> This email is free of malware because I run Linux.
> On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne <byrnejb at>
> wrote:
>> On Sun, September 2, 2018 19:06, William Dudley wrote:
>>> I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail
>>> system.
>>> Since I don't know if the problem is sendmail or opendkim or DNS or
>>> what, I'm asking here.
>> You need a sender policy framework specification in your dns for the
>> domains you wish secured.  You do not put the keys in this, just the
>> policy version, the authorised hosts, and the disposal option.
>> Ours is:
>>          172800  IN      TXT
>>   "v=spf1 ip4: ip4:
>> ip4: -all"
>> The ~all at the end is called a soft fail. It means that recipients
>> may accept mail from another server, but that the sender should be
>> viewed with suspicion. If you change the disposal option to -all you
>> are directing the recipient to reject mail from any server other than
>> these. The soft fail approach is safer and recommended.
>> If you employ dkim without a dns entry for your sender policy
>> framework, or with invalid SPF or multiple SPF dns records, then the
>> correct behaviour is to reject all mail from the sender since the
>> policy cannot be determined.
>> --
>> ***          e-Mail is NOT a SECURE channel          ***
>>        Do NOT transmit sensitive data via e-Mail
>> Do NOT open attachments nor follow links sent by e-Mail
>> James B. Byrne                mailto:ByrneJB at
>> Harte & Lyne Limited
>> 9 Brockley Drive              vox: +1 905 561 1241
>> Hamilton, Ontario             fax: +1 905 561 0757
>> Canada  L8E 3C3
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list