DKIM for relayed domain (rspamd)

If you need to send e-mail from one domain using not default MX server with all header info correctly rewritten this is guide for you.

Real world scenario:

  • there is MX server for domain that you use for normal delivery for users from,
  • there is also phpList service on the very same server that you want to use for massmailing but you want your emails to look like sent from domains: and, with all SPF, DKIM things magically written in headers,
  • you are able to edit DNS records and change configuration of Postfix and rspamd.

Quick solution is like that:


The two emails you need to be used in phpList configuration are:

Add local emails account to your Postfix, I will not cover it here because there are many methods to do it. For this solution I will choose: (will be used for (will be used for

Check if you really can authorize and send emails, just to not mess with it when something will not work later.

In a Postfix configuration (/etc/postfix/ allow your server to be relay for both kurka.pland

relay_domains =,

Then add following line which will instruct Postfix how to map particular local emails to emails from both external domains:

smtp_generic_maps = hash:/etc/postfix/rewrite_phplists

Content of /etc/postfix/rewrite_phplist is:

Do you see how they maps togheter? OK, now make hash table from this file:

cd /etc/postfix
postmap rewrite_phplist

Do ls to check if rewrite_phplist.db file were created.

If so, reload Postfix:

systemctl reload postfix


Add IP address of to your SPF record in your DNS zone form, it should be something like:

"v=spf1 a mx ip4:yyy.yyy.yyy.yyy  ~all"

where yyy.yyy.yyy.yyy is IP of, and of

Then same for

"v=spf1 a mx ip4:zzz.zzz.zzz.zzz ~all"

where zzz.zzz.zzz.zzz is IP of, and IP is for… gues what? Of course, also


Now, we need DKIM keys for both extrenal domains. I presume that you already have DKIM records in your DNS zone. I will not cover it here, look for it in Internet or ask you local guru.

Copy both DKIM keys on server into /var/lib/rspamd/dkim/ folder. Key for should already be there as dupa.key.

Let’s say keyfile for is named: kurka.key and keyfile for is named: wodna.key.

Now edit file /etc/rspamd/local.d/dkim_signing.conf and put following directives in it:

### Enable DKIM signing for alias sender addresses
allow_username_mismatch = true;

# If true, envelope/header domain mismatch is ignored
# it will allow to sign emails from external domains
allow_hdrfrom_mismatch = true;

# This allows to sign also local emails
sign_local = true;

# This maps domains with corresponding keys
domain {
        # DUPA.COM (we want sign original emails) {
        # Private key path
        path = "/var/lib/rspamd/dkim/dupa.key";
        selector = "dupa2022";
        # {
        # Private key path
        path = "/var/lib/rspamd/dkim/kurka.key";
        selector = "kurka2022";
        # WODNA.ORG {
        # Private key path
        path = "/var/lib/rspamd/dkim/wodna.key";
        selector = "wodna2022";

Save it and copy file /etc/rspamd/local.d/dkim_signing.conf to /etc/rspamd/local.d/arc.conf:

cd /etc/rspamd/local.d/
cp dkim_signing.conf arc.conf

Now, restart rspamd:

systemctl restart rspamd

Now, it should work.

You can check it with following tool:

In case something is wrong you can check rspamd log for DKIM errors, add following lines to /etc/rspamd/local.d/

type = "file";
filename = "/var/log/rspamd/rspamd.log";
level = "error";
debug_modules = ["dkim_signing"];

Then look what happens in log file:

tail -f /var/log/rspamd/rspamd.log

Remeber to comment out last line when you will finish debbuging.

Thanks for listening, don’t comment (no comments), you can share it wherever you want.