DKIM signing only PMG generated mails

[czechsys]

Based on the DMARC analyzators.

Because PMG doesn't support changing domains for generated mails by weubi i am looking for the most easiest way to do it without extra configurations on other systems.

Target: signing PMG generated emails ONLY

Problem: PMG is currenty sending as (envelope/header mfrom) @pmghost.example.org AND @example.org.

Question
a] changing "myorigin=[% dns.domain %]" via template - do we need copy FULL template or it works as drop-in?
b] it's possible to import own dkim keys?
c] if we don't change myorigin (see a]), will this configuration enough?
- specific dkim selector in dns
- "Enable DKIM Signing: yes"
- "Sign all Outoging Mail: no"
- "Sign Domains: pmghost.example.org", "Sign Domains: example.org"

 

[czechsys]

@Stoiko Ivanov any reply please?

 

[Stoiko Ivanov]

Put shortly, and without trying it explicitly - the following should work:
* Set an email as Admin mail from: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_options
* add the domain of this email to DKIM domains
* set the signing source to 'header'
* configure a selector and add the public key TXT record to that domain

a] changing "myorigin=[% dns.domain %]" via template - do we need copy FULL template or it works as drop-in?

you need to copy the full template (not sure why you need to adapt myorigin for this though

b] it's possible to import own dkim keys?

yes (as long as it's a RSA key) - copy the private key as pem encoded file to /etc/pmg/dkim - and set the permissions as they are for generated keys

c) should be answered above

I hope this helps!

 

[czechsys]

you need to copy the full template (not sure why you need to adapt myorigin for this though

That't because i see PMG is using pmghost.FQDN as EHLO for some generated mails and it breaks SPF record:

SPF Verification
Failed
helo
pmg-01.FQDN

Anyway, tested your suggestion:

disabled dkim signing:
email sent from client -> mailserver (1. dkim sign) -> pmg -> target

enabled dkim signing + defining domain:
email sent from client -> mailserver (1. dkim sign) -> pmg (2. dkim sign) -> target

Received: from pmg-01.FQDN (localhost [127.0.0.1])
    by pmg-01.FQDN (Proxmox) with ESMTP id 6609F21525
    for <RECIPIENT@REMOTE_FQDN>; Mon, 15 Jun 2026 14:03:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=FQDN; h=cc
    :content-transfer-encoding:content-type:content-type:date:from
    :from:message-id:mime-version:reply-to:subject:subject:to:to; s=
    dkim; bh=...
Received: from mail-01.FQDN (mail-01.FQDN [IPV6])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by pmg-01.FQDN (Proxmox) with ESMTPS id 377B720A65
    for <RECIPIENT@REMOTE_FQDN>; Mon, 15 Jun 2026 14:03:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=FQDN; s=dkim;
    t=1781525026; bh=RGnEK7ci7RNdu0JXQNyUgD0zuECfUa1809yP4DdtG/o=;
    h=Date:From:To:Subject:From;
    b=...
Received: from mail.FQDN (localhost [127.0.0.1])
    by mail-01.FQDN (Postfix) with ESMTPSA id 069871FD2C
    for <RECIPIENT@REMOTE_FQDN>; Mon, 15 Jun 2026 14:03:46 +0200 (CEST)

So pmg sign even mails going through, not it's own mails only.

 

[Stoiko Ivanov]

So pmg sign even mails going through, not it's own mails only.

how does your /etc/pmg/dkim/domains look like?
ensure you did not enable 'Sign all Outgoing Mails' - https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_dkim

 

[czechsys]

Administrator EMail: root@FQDN
'From' for Admin Mail: Proxmox Mail Gateway <postmaster@FQDN>

Sign all Outgoing mail: No

/etc/pmg/dkim/domains:
#pmg signing
FQDN 1

"FQDN" is our email domain. Every test is via the internal mx->pmg->internet mx direction.

 

[Stoiko Ivanov]

"FQDN" is our email domain. Every test is via the internal mx->pmg->internet mx direction.

ok - but that is to be expected then - if you want to sign only mails from PMG - just add the fqdn of your pmg to the dkim domains e.g. pmg.your.domain (sorry I thought FQDN in your post did not refer to your internal domain, but to the fqdn of your pmg machine ...)

 

[czechsys]

With

Signing Domain Source: Header
Sign Domain: pmg-01.FQDN

Red blocks are all the same FQDN

 

[Stoiko Ivanov]

There are mails originating from PMG (the bounces generated directly by postfix) that are not signed in PMG - could that be the source of the reported mails?

 

[czechsys]

I don't know how to identify such mail in pmg style logs, but i think too, it's some of those mails from postfix directly.
That's why i asked about "myorigin" for masking pmg hostname in "From" Domain (for spf).