As stated by Atro, I want to confirm that my goal is exactly to do what many international ESPs are already doing: use a double DKIM signature, one for the customer’s domain and one for the ESP domain.
I don’t believe there is anything inherently wrong in trying to achieve the same pattern, especially given how common it seems to be in real-world deployments. My intention is not to tell anyone how they should run their setup, but simply to understand how (end IF IS POSSIBLE) to implement this correctly and safely on my side. As an additional note, I’ve already managed to achieve the double-signing setup in practice by not using MySQL for now, but instead relying on simple text-based KeyTable/SigningTable files with the appropriate references. This lets me produce two DKIM signatures per message (customer domain + ESP domain) in a straightforward way, even before moving to a fully database-driven configuration. -F -----Messaggio originale----- Da: Atro Tossavainen via Postfix-users <[email protected]> Inviato: domenica 21 dicembre 2025 09:58 A: [email protected] Oggetto: [pfx] Re: Double DKIM signing (two domains) with Postfix + OpenDKIM using only MySQL > This comes across aggressively. Oh? That's funny, because to me, your original comment did. The original poster stated a goal and your comment seemed to imply they were completely off their kilter in wanting it. Hence, I would like to continue to ask what it is exactly that makes you think you're better suited to making their decisions (such as setting their original goals) than they themselves are. Without any aggression, I'm genuinely just wondering. > I also disagree with your premise that adding an extra signature does > anything helpful. Email should only have one from header and alignment will > only match up to the one domain in that from header. All additional > signatures will be ignored in DMARC validation. In DMARC validation, yes, but if a receiving platform decides on lesser grounds whether to allow incoming messages, such as based on the message having any valid DKIM signatures at all (which I don't know if they do, but which is certainly a possibility; I read the Yahoo bulk sender guidelines in a way that confirms my hypothesis, to me, at least), then if you have two that are valid, you can afford to mess up one and still be within the guidelines. I am also simply observing (based on having deliberately received and analysed significant quantitites of ESP mail in spamtraps for 10+ years) that what the OP wants to do is something that ESPs do quite commonly. So they're clearly not that off their kilter. Over the past month, we have observed this behaviour from customers of Amazon SES, SAP Emarsys, Salesforce Marketing Cloud, Adobe Marketo, ActiveCampaign, Klaviyo, Hubspot, Constant Contact, Zeta Interactive, Dotdigital, MailerLite, Zoho Campaigns, Listrak, Campaigner, Mailchimp, Benchmark Email, Diennea, Netcore Cloud, Upland Adestra, Salesmanago, Go Daddy, Google, Oracle Marketing Cloud, WhatCounts, at the very least. So the original poster is certainly not alone, and in decent company, wanting to do this, or what do you think? -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, https://www.koliloks.eu/ _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
