Whitelisting based on [internal] DKIM

DynFi User

Renowned Member
Apr 18, 2016
Handling some complex scenarios and would like to know if It is possible to set a rule that will whitelist internal transfered e-mail based on [internal] DKIM signature.

E-mail would be first signed by an internal MTA, before being delivered to PMG, and we would need to:

  1. whitelist based on DKIM signature
  2. remove header with DKIM signature
  3. sign with the proper key
  4. transfer for delivery

Can I do that with existing tools in PMG ?
whitelist based on DKIM signature
This is not really possible by just using the GUI - you can approximate that by setting a very high negative score on the DKIM_VALID rules in spamassassin - use custom score. - However keep in mind that the SpamAssassin configuration is the same for inbound and outbound mails - so that might not be the best idea

remove header with DKIM signature
completely removing a header is not possible - you can just change it's value with a modify field action

  1. sign with the proper key
  2. transfer for delivery
This is built-in with the DKIM-signer of PMG - the mails get signed after passing through the rule system

Additionally - your DNS server needs to return the DKIM-Key to your PMG upon request (i.e. you might need some kind of split-DNS setup)

I hope this helps!


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!