bug: disabling email disable dkim signing for the website

[aqueos]

hi,

when i have dkim signing for a domain and i disable email for this domain i cannot have anymore access to the dkim for this domain.

Contrary to what it could appear, having OUTGOING email signing is not related to having pop/imap boxes on the domain.

A website could need dkim signing even if the pop/imap is elsewhere to be able to send to google or microsoft from the website itself.

So i think dkim should not be linked to email pop/imap capabilities of a domain.

best regards, Ghislain.

[iliajie]

Hello,

I agree with this suggestion! It makes perfect sense!

We will have to wait for Jamie's comment though.

[jcameron]

Good suggestion - I will look into implementing this

[jcameron]

Ok the next release of Virtualmin will allow you to add DKIM DNS records for domains without email enabled, as an option.

[iliajie]

Ok the next release of Virtualmin will allow you to add DKIM DNS records for domains without email enabled, as an option.

How will that work? if mail disabled DKIM DNS record is still getting removed? Unless a domain has to be manually added to Extra domains to sign for textbox in Email Settings ⇾ DomainKeys Identified Mail page?

[jcameron]

There's an extra option on the DKIM page to control if it's enabled for all domains, or just domains with email on.

[iliajie]

Ah, I see it now, thanks!

Though, don't you think it would be better to cross-reference it on the DNS Options page?

[jcameron]

Maybe ... what would we show on the DNS Options page?

[iliajie]

DKIM record

Yes, No, Default

.. may be that?

[jcameron]

Good idea, I'll look into it..

[iliajie]

This hasn't been implemented yet?

[jcameron]

What I haven't implemented yet is a field on the DNS Options page to enable or disable DKIM for a domain. However, this can still be setup on the DKIM page.

[iliajie]

Yeah, I meant just a toggle in DNS Options page, with Default, Yes, No options.

[jcameron]

It's on my TODO list ...

[jcameron]

Ok this has been implemented for inclusion in the next release.

[iliajie]

Thanks Jamie!

I did some tests and now we have a new option, e.g.:

Although, this option isn't visible unless global Email Settings ⇾ DomainKeys Identified Mail is enabled. This makes Use default behavior (Yes) option unclear.

[iliajie]

Also, currently it isn't possible to enable DKIM signature for just one domain on the DNS Settings ⇾ DNS Options page when Email Settings ⇾ DomainKeys Identified Mail is disabled. This is not only because the option is invisible, but also because even if attempted, it doesn't properly enable DKIM.

Summary: Currently, it is only possible to disable DKIM signature for a specific domain, not otherwise.

[jcameron]

That's kind of expected - unless DKIM is enabled globally, it cannot be turned on for individual domains.

[iliajie]

Then there is no value in third (last option, i.e. Use default behavior)?

[jcameron]

The third option means that if it's enabled globally and the domain has the email feature, add DKIM DNS records for this domain. 99% of the time users are just going to want to turn it on for all domains that it makes sense for.

[iliajie]

The third option means that if it's enabled globally and the domain has the email feature, add DKIM DNS records for this domain.

But there is no way to even see this new option in DNS Options page if Email Settings ⇾ DomainKeys Identified Mail is not enabled?

[jcameron]

Correct, because there's some global setup needed to make DKIM work at all. Maybe we could add a link to the DomainKeys Identified Mail page in that case?

[iliajie]

Oh, adding a link is a good idea! Yet I still don't understand how all those 3 options are meant to work even when DKIM is enabled globally?

We enable it globally and it just works for all domains by default, right? Right.

Now I want to disable it for some domain. I can do it, and it's clear.

Then I want to re-enable it, that's also cool.

What's consuming to me is a third option which implies some defaults, when there is only one related global default, i.e. Enabled, because when it's disabled none of those 3 new options in DNS Options page will be shown ..

[jcameron]

If you enable it globally, it's on for all domains with DNS and email enabled. This option lets your it on for domains without email, or turn it off for any domain.

Although now you mention it, this does seem rather over-complicated...

[iliajie]

Yeah, that's a bit over-complicated. May be let's just have two options in DNS Options page: Yes and No, and enable DKIM all the time, despite of mail feature? And if DKIM globally disabled, then add a link to the page to enable it?

[iliajie]

I have checked it further and discovered a few issues. The first was fixed in this patch https://github.com/virtualmin/virtualmin-gpl/commit/e9f6ce1d516094631aa9f5764ab26fd057eafd14.

The other issue is more complicated. When the new option Add DomainKeys Identified Mail records is set to Use default behavior in DNS Options page, the global DomainKeys Identified Mail is set to Yes, and Domains to sign for by default is set to All domains with DNS. So far, so good. However, if I later disable DNS for the domain on the Edit Virtual Server page, then DKIM is correctly removed, but the menu still shows the DNS DKIM Record link and Suggested DNS Records still suggests the DKIM DNS record.

This does seem like a bug to me.

[jcameron]

No that's expected, because the assumption is that the user might be doing offsite DNS hosting.

[iliajie]

No that's expected, because the assumption is that the user might be doing offsite DNS hosting.

Oh, that's right, and as long as the signing happens, we're good then!

Thank you!