DKIM signing for messages from trusted IP | MDaemon Technologies, Ltd.

DKIM signing for messages from trusted IP


  • Hi,

    How can I configure MDaemon to DKIM sign outgoing messages coming from a trusted IP? The DKIM key has been created, the policy for the sending domain has been specified in DKsign.dat, but messages are sent without a DKIM signature.

    Thanks.



  • "In order for a message to be signed, it must meet the criteria designated under the Define which messages are eligible for signing button and be received by MDaemon for delivery on an authenticated session. There is also a Content Filter action, "Sign with DKIM selector..." that you can use to cause messages to be signed."

    https://help.mdaemon.com/MDaemon/en/security--dkim_sign.html

    So if you can't send the message via an authenticated session, you'll have to use a content filter rule to sign it.


  • Arron, 
    thanks for the advice. Unfortunately, it didn't work for me. Messages are not signed according to the rule in the Content Filter. Here is an example of a rule from CFRules.dat 

    [Rule001] RuleName=Test
    Enable=Yes
    ThisRuleCondition=Any
    ProcessQueue=REMOTE
    Condition01=FROM|contains|AND|mail@domain.com|
    Action01=dkim sign|"MDaemon"
    Action02=add line to text file|"c:\111.txt","test"

    In this case a message received from mail@domain.com and trusted IP is sent without the MDaemon DKIM signature, but the "test" string appears in the c:\111.txt file. That is, the rule works but signing does not occur. The "MDaemon" selector exists. 

    What am I doing wrong?


  • In order for MDaemon to DKIM sign a message using the content filter using the sign with DKIM selector or on its own, the message must be received via an authenticated session. There is one way around it and we DO NOT reccomend that you use it.  

    When you DKIM sign a message, you are telling the recipient that this is a valid message from the domain that signed the message.  MDaemon tries to protect the domain by requiring messages be received via an authenticated session. Using a content filter rule to sign a message that was not received via an authenticated session and that is only checking the From header is NOT secure.  

    If at all possible, please do not do this. 

    To sign the message that is not received via an authentication sesison, change the action of the content filter rule to add a X-MDDKIMSelector header to the message.  The value of the header needs to be s=$SELECTOR$ where $SELECTOR$ is the name of selector that you want the message signed with.

    Use at your own risk.


  • Arron,

    thank you very much for this method. The messages are now being signed by DKIM. I realize that this method is potentially insecure, so the security of trusted IPs is ensured by other ways.

    Thanks again for the solution.


Please login to reply this topic!