opendkim – Postfix from rewriting (smtp_generic_maps) + DKIM

We have SMTP server for the application emails what should do following:

  1. change “From” for all emails
  2. sign emails with DKIM

I have set up postfix rewriting with smtp_generic.

The default flow is like that:

  1. Email comes to postfix
  2. OpenDKIM will sign it
  3. smtp_generic_maps will change the header
  4. email will be delivered

The problem: by default setup smtp_generic_maps will overwrite the DKIM header.

Any suggestion? Examples, how change order? examples are very welcome.
I imagine that one way could to createe separate postfix instances for both tasks.
One that will do the „From“ rewriting (smtp_generic_maps) and second instance will add DKIM and sent it out.

Similar issue is here, sadly no examples from file ☹

Chook posts: “I solved this problem by using the postfix advanced
filter and adding the opendkim milter on the final phase.”

Postfix generic changes causing DKIM permerror

Configuration are:

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters


PidFile /run/opendkim/
Mode sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
SendReports yes
SoftwareHeader  yes
Canonicalization    relaxed/relaxed
Selector    default
MinimumKeyBits  1024
KeyTable    /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
OversignHeaders From

linux – DKIM Validating Signature, Result = Fail Details: Body Has Been Altered

I have 2 mail server,
Main Mail Server = Microsoft Exchange Server
Secondary Mail Server = Ubuntu Postfix only as SMTP Relay.
The Exchange Server is using Ubuntu Postfix SMTP as Smarthost,
And the problem is Exchange Server need to use thirdparty software to integrate with DKIM.
I used DKIM Exchange( as the third party software,
By following this tutorial
But got a problem, when checking DKIM Signature on
I got an Error like this:

DKIM Information:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256;; s=default;
c=relaxed/relaxed; t=1619877233; h=from:subject:to:date:message-id;

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: s= Selector: default
q= Protocol:
bh= iOObCKJdXN6HiMEEGHi3hTEvUHxZe5CdQrWy7paoGeo=
h= Signed Headers: from:subject:to:date:message-id
b= Data: KHjroY6llEGwgpFXQwvTggVvN8pWkRarZfbxPMWZ3J6axLy7fngoJ7VXA/AJB9sc/N+UasENrvy

Public Key DNS Lookup
Building DNS Query for
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq4UV1gOKAQ+Gr9BmFSrGZbo3ll16g8itrrEwBckyGRYD2g+DKINm5fUYNUxn2bILpeh3AT2gJnbGydQNc7p02Hia1H/jnKDbvTfvnmcUQGHLQGYsnSgIJM3f+B5qrpyjfNufyrSr4L4YCBUr1o0KoN4p2p97iOr+MQiHY4sYIDPAcsaQ4zpAcxDmmSbtXbbBdYileN7Anpkm9ODJtNNNZzxH68jFI7ioVjInX8G1mWLKP4sxPoTa86R5C/zu97a0agXPusrCd1bWGKPxFhCUvJpFzdICUdLsVo9mEwbB12kpGrplYPgOb6B1YKn3iu/XBezv/8EIjG/N7+hAEz9C1wIDAQAB

Validating Signature
Result = fail
Details: body has been altered

Anyone have the solution for this? The DKIM Record is Valid but DKIM Signature is failing…

domain name system – Is it “safe” to remove an old DKIM record?

I have some old DKIM records from when I used a sending service that I no longer use and I’m wondering if it’s safe to remove them.

The last time an email was sent via this service was over a year ago. Is there an acceptable timeframe after which it’s ok to remove these old records, or are signatures likely to be rechecked by Exchange or some other server at a later date?

email – Why is DMARC failing when SPF and DKIM are passing?

This is complicated so here is a shot at explanation.

For DMARC to work, you need to alignment of either SPF or DKIM domains with the body from address. There are three places this matters.

  1. The body from address: (5322.From)
  2. The DKIM domain: (d=)
  3. the header.from address: (RFC5321.MailFrom)

how many from addresses are there?

There are two – the message body and the smtp server’s MailFrom address.


how they all work

you set your “from address” in the message body. In this case it’s

Right before your SMTP server contacts the remote SMTP server, it signs the message using DKIM, and specifies where the receiving server can find the public key to validate the DKIM. (this is the d= and s= part of the dkim signature).

then your email service sets the header.from address when it does the backend communication from your SMTP server to the recipient’s SMTP server. There is a whole handshake happening that you don’t need to worry about. (this is where it says the spf and server ip address).

an aside

It’s amazing that you can legally send email with a made up body from address, any smtp spf address, and any dkim signature. Without aligning them, they are nearly pointless for email. There is a ton of machine learning to figure out which SMTP servers to trust, and which dkim domain signatures to trust.

looking at the dmarc

jon$ dig txt +short

This says that there is no policy specified. Have a look here:

looking at the dkim

It’s looking up the signature and verifying against the dns entry.

jon$ dig txt +short
"k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDzpFrEAH9dbkLukLvwesHGWRDc+JCBkvzQYTpptOR+uz4brRd1V8VDPHPpQH7wRvNMhVh/LhTkPMBXtpJjeedqU2rfDlH8y81O+VweutuI4AHOfBL4PJSHNxZ1Qbw7D3+080AsoDXqphbSZXfi9wnSP5X5bcocLqW+1MwNq854wIDAQAB"

You need to host a dkim key at your domain and point AWS to use it.

looking at the spf, these are the records looked up:

jon$ dig txt +short
"v=spf1 ~all"
jon$ dig txt +short
"v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ~all"

The first ip4 is a mask that includes the smtp server ip address of, which is why SMTP passed.

You need to configure AWS to send a custom header.from that matches your sending domain, example, setup a header that maps to the AWS SMTP servers – see here for details:

Once they are all the same domain, dmarc will work.

email server – DKIM failure on postfix

i’m configuring dkim to sign miltiple domains with the same key on postfix , I followed this tutorial
with s=mail ,
this is the SigningTable :*
this is the KeyTable: %:mail:/etc/opendkim/keys/default.private

My TXT DNS record is on the main domain (Server domain name) Here: , It works great when I send an email from using my FROM address as:

The problem is with other domains using my postfix server , when I send an email using my FROM address as: ( i configured DKIM , DMARC and SPF on otherDomain’s DNS zone)
The DKIM signature is added but using otherDomain as the domain value tag . and the DKIM signature failed only on dkim=fail(signature did not verify)
But it pass on gmail(DKIM:PASS ) and on i get 10/10

Email – What is the appropriate DMARC configuration for a domain that should work hard under DKIM but not work under SPF?

Messages sent from my domain are always DKIM signed and all non-messages should be immediately discarded by the recipients. However, strict enforcement of the SPF leads to problems where internal rules for forwarding emails and other implementation details lead to incorrect errors. What is a suitable constellation of SPF, DKIM and DMARC data sets to cause receiving systems to treat DKIM errors as absolute "stop delivery, it is surely spam", but SPF only as a hint?

SPF and DKIM targeting fail on some large batch emails

We send a large number of emails (hundreds of thousands) mainly for our customers. Of course, we have properly configured SPF, DKIM, and DMARC records for all domains that use us. We pass all tests with various SPF and DKIM validators, and the vast majority of emails are delivered without problems.

The problem is that there are some emails in almost every delivery where we get a DMARC error report for no apparent reason.




none 100
123.456.789.101 1 none pass fail k1 pass mfrom pass

This happens only with very few emails, say 1%. Most emails go by.
Any experience with it?