[SOLVED] Configure PMG to always sign using parent/apex domain

G

Gunni

New Member
Sep 16, 2025
5
2
3
TL;DR: Feature request: Add `apex` option to `dkim-use-domain`.

Let's say i want to send from username@server.example.com, but i don't want to configure DKIM and SPF for server.example.com, just *.example.com.

No problem, I can make a SPF record for *.example.com. But oh no, not the DKIM record for *._domainkey.*.example.com...

I would like a way to configure DKIM signing in PMG to always use the apex domain, my understanding is that as long as you have relaxed alignment, it validates fine.

That way i can send an email with:

Code: 
RFC5322.From: username@server.example.com
RFC5321.MailFrom: username@server.example.com

but also

Code: 
DKIM-Signature: ... d=example.com ...

SPF would still use the wildcard spf record, but the dkim validators would use the provided name.
 
From the top of my head - and without testing it - how does the DKIM signature look, if you only add 'example.com' to the DKIM Domains?
Thanks!
 
I don't notice any difference when adding domains to the dkim domains list vs having it blank.

I'll test it methodically today.
 
I got it!

I had to disable "Sign all Outgoing Mail" and add the apex domain to the "Sign Domains" list.

Despite sending email where both RFC5322.From and RFC5321.MailFrom were set to username@server.example.com, the signature was:

Code: 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; h=cc
 
  • Like
Reactions: Stoiko Ivanov
Gunni said:
I got it!

I had to disable "Sign all Outgoing Mail" and add the apex domain to the "Sign Domains" list.

Despite sending email where both RFC5322.From and RFC5321.MailFrom were set to username@server.example.com, the signature was:
Click to expand...
so everything worked out? (just to make sure that was you original request).

regarding the "Sign all Outgoing Mail" - that was originally added and if it's enabled no prefix-matching is done and the mails simply take the complete domain as signing-domain - https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_dkim
In hindsight it probably makes sense in very few setups ... I'll try to reword the documentation at least.
 
Yes, my issue is solved.

You really should reword the "Sign all Outgoing Mail" option itself.

I would also like an option to block mail that pmg can't sign for any reason but that can go in another post or something.
 
  • Like
Reactions: Stoiko Ivanov
Gunni said:
I would also like an option to block mail that pmg can't sign for any reason but that can go in another post or something.
Click to expand...
Hm - what exactly is your use-case? why is it better to drop a mail than sending it out without DKIM-signature?
Which mails in your environment are not signed (despite coming from domains of which are covered by your DKIM domains?
Maybe there's a different way to achieve what you need...

For completeness sake - in general the place for feature requests would be https://bugzilla.proxmox.com - but if the scope need of the feature is not 100% defined - a thread in the community forum is most often a better match.
 
I'd just prefer an admin error email warning of a dkim error than outputting any unsigned emails.

My use case is an outbound only relay for a network that signs all mail.
 
You must log in or register to reply here.
Top Bottom