DKIM sign works only for the MTA instance

[ravivgolov]

Hi

I have followed the guide: https://haraka.github.io/plugins/dkim_sign

I have successfully sent outgoing emails, but I am facing an issue where DKIM signing only works for the main domain. For example, if the MTA hostname is relay.domain.com and I send an email from this domain, DKIM works perfectly fine. However, when I try to send an email from another domain like domain.com, the message is not signed with the main DKIM. Can you please help me understand what I am missing here?

[msimerson]

If you merely claim that you followed the instructions, nobody can help you. Prove it. Show us what you did. hint: https://haraka.github.io/plugins/dkim_sign#single-domain-configuration

[ravivgolov]

I will show: I used the dkim generator provided dkim_key_gen.sh. Folder: relay.mymta.com contains all the files: DNS, selector, private, public

dkim_sign.ini:

[main]

[sign]
enabled = true
selector = apr2024
domain = relay.mymta.com
key_path = /opt/haraka/config/dkim/relay.mymta.com/private

DKIM set in the main domain:

ubuntu@relay:/opt/haraka$ dig apr2024._domainkey.relay.mymta.com TXT +short
"v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4SyoWWf7/G0gkeIdxl7kEWojoDmiNIhMupB9gOhtYcBDPLVXcGF2ksVD0ztkU9SYhuFYOUgGeooHKr+hGcOQclSsbw2+ deleted the rest"
ubuntu@relay:/opt/haraka$

I also tried to copy the private file generated in the dkim folder under the main domain and renamed the file: key_path = /opt/haraka/config/dkim.private.key

[msimerson]

Try configuring it EXACTLY as the docs specify.

The DKIM plugin was recently republished, you are using the old version, so continue following the docs you originally cited above.

Your dkim_sign.ini file should be configured thusly:

selector=apr2024
domain=relay.mymta.com
headers_to_sign=From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc, MIME-Version

And your DKIM private key should be stored as config/dkim.private.key

[ravivgolov]

Thanks, That worked.

I'm confused about which documentation to follow - the one in the "Getting Started" section or the one in the "Plugins" page under the github repo. Can you please advise me on which one is more recent?

[msimerson]

If you're using a version of Haraka older than 2.0.4 (not yet released), then follow the docs that came with Haraka. (haraka -h dkim_sign). For newer versions (after the DKIM plugin was repackaged as a NPM module), the docs here in this repo are the most current.

[ravivgolov]

Thank you, I have Haraka version 3.0.3 and I followed your suggestions. One thing I am trying to do is deny mail from IPs when SPF fails, and here is my SPF configuration:

[relay]
context=myself

[defer]
helo_temperror=true
mfrom_temperror=true

[deny]
mfrom_fail=true
openspf_text=true

[deny_relay]
mfrom_fail=true
openspf_text=true

I am still able to use any domain without the SPF, how can I achieve that?

[msimerson]

Keep reading the spf plugin docs

[ravivgolov]

I have read it like 10 times, but I am not able to figure out, what is wrong here? spf.ini [deny] mfrom_fail=true

[msimerson]

Look at all the entries in the [deny] block in the docs. Use your knowledge about SPF and SMTP to deduce what they apply to. Twiddle the knobs to do the needful.

[ravivgolov]

Finally, I have resolved the issue where the signed domain was showing Softfail by adding softfail and none to the config. It took me several hours, but I have successfully set up the entire system including Haraka's filters, options, and optimization to prevent spam and bounce.

However, I still have a few questions regarding the email queue log to avoid email marketing. I believe the Karama plugin handles domain reputation, but I'm not sure how to see the stats of the domain's reputation with Karama. What is the best way to monitor outgoing emails for spam, email marketing, and bounces?

How much retention of the score stats are saved on Redis? Amazing MTA by the way. can be achieved with the right configuration the perfect MTA with the perfect filters.

By the way, is there any way to add a spammer automatically to the access.domains or mail_from.access.blacklist? or even dnsbl detection to the connect.rdns_access.blacklist?