DKIM catchall wildcard

Hi,

I am trying to configure a DKIM signing setup we used in PMTA

1. all mail will be signed by key A and domain “domainA.com”

2. If there is a dedicated key configured for the sender domain use that key as second DKIM signature or use another default key

So we have always 2 DKIM signatures for each mail.

I tried to set this up using the ‘policy-extras.dkim_sign’ and a /opt/kumomta/etc/policy/dkim_data.toml file.
My idea was to use something like this, but that seems not to work.

[base]
additional_signatures = [‘domainA.com’]
headers = [
  "From", "Reply-To", "Subject", "Date", "To", "Cc",
  "Resent-Date", "Resent-From", "Resent-To", "Resent-Cc",
  "In-Reply-To", "References", "List-Id", "List-Help",
  "List-Unsubscribe", "List-Subscribe", "List-Post",
  "List-Owner", "List-Archive"
]

[domain.‘domainB.org’]
selector = ‘mailing’
filename = ‘/opt/kumomta/etc/dkim/domainB.org/mailing.key’

[domain.‘*’]
selector = ‘mailing’
filename = ‘/opt/kumomta/etc/dkim/default/mailing.key’


[signature.‘domainA.com’]
policy = ‘Always’
selector = ‘mailing’
domain = ‘domainA.com’
filename = ‘/opt/kumomta/etc/dkim/domainA.com/mailing.key’

I there a way to configure my wanted setup with the dkim policy helper?

That’s what ‘additional_signatures’ does, second sign everything.

See How Can I Apply Multiple DKIM Signatures to a Message? - KumoMTA Docs

Yes, this will be “domainA.com” signature.

We like to have an additional conditional signatur:

When sender is “domainB.org” use
‘/opt/kumomta/etc/dkim/domainB.org/mailing.key’
else use
‘/opt/kumomta/etc/dkim/default/mailing.key’

The DKIM helper is good for basic signing cases. If you need to sign conditionally or need logic to determine a key, then you should do it with Lua.