[SOLVED] Help with DKIM key pairs

Jun 10, 2021
Maryland, USA
use case: multi tenant mail gateway

If I understand DKIM correctly, a key pair has to be generated for each domain.

However, pmg only has the ability to use one private key.

How can pmg sign emails for multiple domains with only one key?

I don't think it'll work, or I don't fully understand how DKIM works.

Pleas help!

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
If I understand DKIM correctly, a key pair has to be generated for each domain.
Not necessarily - from RFC6376 (https://datatracker.ietf.org/doc/html/rfc6376):

Elements in the mail system that sign messages on behalf of a domain
are referred to as Signers. These may be MUAs (Mail User Agents),
MSAs (Mail Submission Agents), MTAs (Mail Transfer Agents), or other
agents such as mailing list exploders.

A DKIM signature should just ensure that the signing entity (your PMG) has seen that message and trusts it's origin.

Which is the private key and which is the public key?
the DNS-TXT record as presented in the GUI is just the DNS text record (it contains the public key after the 'p=' )
The format is what opendkim-genkey outputs (which is a line that you can directly enter into bind zone-file).
You need to add the DNS record to each domain's zone file for which you like to sign mail - sometimes it might be necessary to edit the output
(remove the quotes (") and stick both parts of the private key together.

The private key can be found in /etc/pmg/dkim/<selector>.private

I hope this explains it!
  • Like
Reactions: fgams


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!