Help configuring DKIM with multi-server, multi-subdomain config

[vicos]

I have an unusual setup of domains on my server and I would really appreciate help in properly setting up DMARC.

My primary domain is me.com (as an example only)

I have 2 cPanel servers:

S1.me.com

S2.me.com

I have some *.me.com subdomains on one server and others on the second. For example:

On s1.me.com we have me.com, d1.me.com and d2.me.com

On s2.me.com we have d3.me.com and d4.me.com

Important to note that each of our subdomains is set up as an independent account on cPanel. We do not have me.com setup as a cPanel account with subdomains controlled by that account.

It is also important to note that we manage the DNS for this at a third-party service, not within cPanel. cPanel recognizes this fact.

Me.com is the only domain that sends/receives email from real humans. All of the other subdomains send email from PHP scripts, e.g. software like Xenforo, etc.

Assume Xenforo, or something like it, is installed at d1.me.com. The outgoing email is addressed from [email protected], not [email protected]. I also noticed that the receiving systems mark the email as being received from the server (s1.me.com) not the actual subdomain where it originated from (d1.me.com).

So, how do I configure the DKIM to make this all work?

Right now, I noted that each subdomain has its own DKIM public key set in cPanel.

I assume that the subdomain responsible for originating the email is the one that signs it?

When the receiving server wants to validate the signed email, what does it use to look up the public key in DNS?

• The primary domain, me.com?
• The domain where the email originated, d1.me.com ?
• Or, the server from which it originated, s1.me.com?

 

[ffeingol]

On the sub-domains, how do they actually send mail? Do they authenticate to a mail server or do they simply use something like a PHP mail() function? Based on your reply my guess is they us something like a PHP mail() function. If they are not actually authenticated, it's going to be a challenge to get the MTA to DKIM sign them.

 

[vicos]

On the sub-domains, how do they actually send mail? Do they authenticate to a mail server or do they simply use something like a PHP mail() function? Based on your reply my guess is they us something like a PHP mail() function. If they are not actually authenticated, it's going to be a challenge to get the MTA to DKIM sign them.

--> PHP mail() function

However, I just checked the header of an email sent from one of our apps via PHP and it does have a DKIM-Signature: record in the header.

 

[cPRex]

There is no limit to the number of DKIM records that can be on a domain. For example, I checked a personal zone of mine and found multiple entries for different hostnames to send email:

default._domainkey.host 14400   IN      TXT     "v=DKIM1; k=rsa; p=long-key-goes-here;
default._domainkey.host2        300     IN      TXT     "v=DKIM1; k=rsa; p=long-key-goes-here;

so that will work just fine.

DMARC records do need to be unique.

 

[vicos]

So, when the receiving system wants to validate the signed message, how does it determine which DMARC record to use in the DNS in order to obtain the public key? Is there a parameter/selector in the DKIM-Signature that tells it which record to lookup?

In the header I looked at, I do see:

d=d1.me.com

would that be what it uses?

edit: OK, so it looks like 'd' is the domain and 's' is the selector, which on mine is set to 'default'.

 

[cPRex]

According to the verification steps at dmarc.org, it says they "retrieve verified dkim domains" so it seems like it would be smart enough to pull the correct DKIM record for the mail that is being handled.

 

[vicos]

It uses a combo of the d=domain && s=selector to pull the public key from DNS. I configured my DNS with the data cPanel specified and all is well, even for the subdomains.

 

[cPRex]

I'm glad to hear it's working well!