Submitted by lewisjenkins on Thu, 02/21/2013 - 04:21
DKIM appears to be a global setting in Virtualmin, meaning there is no way in Virtualmin of disabling it for certain domains, as far as I can tell.
Is there a way of enabling / disabling DKIM for individual Virtual Servers? It's worth noting that Plesk (ugh!) has this ability, so it certainly seems possible.
Status:
Closed (fixed)
Comments
Submitted by aitte on Thu, 02/21/2013 - 10:01 Comment #1
i'll just comment to let you know that it is possible, just not in virtualmin. ;)
it's even possible to assign different keys per-domain.
all it takes is some changes to the dkim-milter configuration.
Submitted by JamieCameron on Thu, 02/21/2013 - 13:46 Comment #2
Currently this isn't supported - DKIM is enabled for all domains with DNS and email enabled.
I'm interested to know why you wouldn't want it enabled for all domains though?
Submitted by aitte on Thu, 02/21/2013 - 14:12 Comment #3
indeed, i agree with jamie, you really should have it enabled for all domains. the performance hit is negligible and having signed emails is a great thing. moreover, there really is no reason to have different keys per domain. by the time one key is cracked, you are going to be long dead. having multiple different keys increases complexity without increasing security.
Submitted by lewisjenkins on Wed, 03/06/2013 - 17:34 Comment #4
My reason was that occasionally it's not ideal to use DKIM signing for certain clients.
One example would be if they are using third-party services that send additional outgoing mail on their behalf. Many third party services have their own signing, but some don't, so those mails could fail DKIM checks, depending on the policy.
Another example is that very occasionally one of my client's outgoing emails to one of his clients will bounce back because of a failed DKIM check. Not because of anything wrong at our end, but usually because a receiving mailserver is badly configured, falsely identifying our legitimately signed email as a DKIM fail and deleting / bouncing. So I explain to my client that it's not us at fault, it's the receiving mail server at fault. He says, "I used to be able to send emails to my client with no problems before we switched hosting to you". I say "your previous host didn't use DKIM signing". He says, "well, can't you just disable this DKIM thing? It obviously doesn't work". And in those situations, it's actually easier to switch DKIM off for him than it would be to convince him that DKIM is usually a good thing. He doesn't care about the technology, he just want his outgoing emails to be received by his own clients, and expects us to make it happen :)
My workaround now is to host DNS elsewhere, and selectively enable DKIM signing for individual domains via the Virtualmin DKIM page, which works great.
Submitted by JamieCameron on Wed, 03/06/2013 - 17:35 Comment #5
Perhaps what Virtualmin needs on the DKIM form is a field for entering a list of domains to not DKIM sign for (even though it would be otherwise possible) ?
Submitted by lewisjenkins on Thu, 03/07/2013 - 15:50 Comment #6
Or how about a simple checkbox under Edit Virtual Server > Enabled Features?
Submitted by JamieCameron on Thu, 03/07/2013 - 17:52 Comment #7
That may be over-complex, as in most cases users want DKIM to just work by default.
Submitted by lewisjenkins on Sun, 03/10/2013 - 03:50 Comment #8
I agree, so they would set it in Features and Plugins to be 'on' by default.
Submitted by JamieCameron on Sun, 03/10/2013 - 12:18 Comment #9
I've implemented this as a separate field on the DKIM page for entering domains to exclude.
Submitted by lewisjenkins on Tue, 03/12/2013 - 03:37 Comment #10
Thank you! :)