May 20, 2020

now that we have gotten DKIM signing to work im sitting here thinking what if worst case senario came to pass..

all devices gets encrypted.

handing out the TXT record that the users need to enter into there dns servers what if it changes so you have to start from scratch.

this got me thinking can this be handeld by a CNAME entry if a selector is domain._domainkey cant the client just use CNAME like this

domain._domainkey.domain.com CNAME domain._domainkey.domain.net

so that if a server asks for domain._domainkey.domain.com it will be redirected to domain._domainkey.domain.net that has the DKIM signing key that is needed. will make it easyer to manage the DKIM signing for multiple clients. and domain._domainkey.domain.net is a TXT value with the correct signing key.

otherwise it will alot of stress in rebuilding and sending out emails to all the clients that use the DKIM signing.
On a first glance this seems like a sensible setup.
A quick search online seems to confirm that this is done by some setups:

one thing that the cloudflare link points out though, that should be considered:
In some cases, domains have stored their DKIM records as CNAME records that point to the key instead; however, the official RFC requires these records to be TXT.

In my experience CNAME records work fine in almost all cases - but I have not tried explicitly setting them up for DKIM keys.
Just give it a try (with a less important domain)

Would be great if you share your experiences here!
Hello again.

after some tests it works.. just make a cname that points like this

selector._domainkey.domain.net CNAME to selector._domainkey.domain.com

selector._domainkey.domain.com holds the signing key

Authentication-Results: spf=pass (sender IP is xxx.xxx.xxx.xxx)
smtp.mailfrom=domain.net; dkim=pass (signature was verified)
header.d=domain.net;dmarc=pass action=none
header.from=domain.net;compauth=pass reason=100
  • Like
Reactions: Stoiko Ivanov
Thanks for sharing your details and success story!

One technical possibility (which I'd consider rather unlikely) is that some DKIM-verifier implementation out there insists on the record being a TXT record as the cloudflare docs say (although AFAIR CNAMEs should be honored in all cases).
well the CNAME points to TXT record but you never know. im just thinking about a good implementation incase of a Total Disaster..

Microsofts do this with there office 365 approach... selector1 and selector2 CNAME to a selector1 etc etc.
Just adding here, that this is how mailchimp does it, when you use your own domain with them. Adding a cname to your domain, pointing to theirs.

So if it works long term, depends if the receivers are looking for TXT record specifically or not. :)
(i.e. following dkim standard or not)


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!