Summary
The overwhelming consensus from experts, email marketers, and technical documentation is that OpenDKIM cannot directly sign the MAIL FROM (Return-Path) address. This is because the MAIL FROM is part of the SMTP envelope, generated by the receiving server during the SMTP transaction, and is distinct from the email headers and body content that DKIM is designed to authenticate. While some suggest that PowerMTA offers methods to manipulate the signing domain or that certain configurations might indirectly include MAIL FROM information, these approaches are not standard, can be complex, and may lead to DMARC alignment issues. OpenDKIM's core functionality focuses on signing headers, with the 'From' and 'Sender' headers being the relevant areas for DKIM authentication in this context.
Key findings
- MAIL FROM Creation & Location: MAIL FROM is created by the receiving server and resides in the SMTP envelope, not the message content.
- DKIM Scope Limitation: DKIM primarily authenticates email headers and body, not the SMTP envelope.
- Non-Standard Configurations: While PowerMTA and specific configurations may offer methods to influence the signing domain, they are not standard and may introduce complexities.
- DMARC Implications: Manipulating the signing domain without proper consideration can lead to DMARC alignment problems and impact deliverability.
- Header Focus: DKIM implementations should focus on correctly signing the 'From' and 'Sender' headers for effective authentication.
Key considerations
- Core Deliverability Practices: Prioritize correct DKIM signing of the 'From' header and DMARC alignment as primary deliverability practices.
- Alternative Authentication Methods: If requiring MAIL FROM authentication, explore alternative email authentication methods that operate at the SMTP level and consider the compatibility with DMARC policies.
- Complexity vs. Benefit: Carefully evaluate the complexity and potential risks of non-standard configurations aimed at influencing the signing domain against the limited benefits they provide in terms of MAIL FROM authentication.
What email marketers say
8 marketer opinions
The consensus among email marketers from various platforms is that OpenDKIM does not directly sign the MAIL FROM (Return-Path) address. DKIM primarily focuses on signing email headers and the body. The MAIL FROM address is part of the SMTP transaction and is handled differently, making direct signing with OpenDKIM uncommon and often requiring custom configurations.
Key opinions
- DKIM Focus: OpenDKIM primarily signs email headers and body, not the MAIL FROM address.
- SMTP Envelope: The MAIL FROM address is part of the SMTP envelope, handled separately from the message content that DKIM signs.
- Custom Configuration: Signing the MAIL FROM address may require custom configurations or extensions beyond standard OpenDKIM implementation.
- DMARC Alignment: DMARC alignment relies on the 'From' header's domain, not the MAIL FROM address.
Key considerations
- Standard Implementation: Relying on standard OpenDKIM implementations will not sign the MAIL FROM address.
- Custom Solutions: If signing the MAIL FROM address is a requirement, explore custom configurations or extensions, understanding potential complexities.
- Alternative Authentication: Consider alternative email authentication methods or configurations if MAIL FROM authentication is critical, while keeping DMARC alignment in mind.
Marketer view
Email marketer from SuperUser forum mentions that the MAIL FROM address isn't typically signed directly because it's part of the SMTP transaction and handled differently from message headers.
6 Jan 2023 - SuperUser
Marketer view
Email marketer from StackOverflow mentions that the email headers and body are signed, therefore OpenDKIM will not authenticate the return path.
4 Apr 2022 - StackOverflow
What the experts say
6 expert opinions
Experts across Email Geeks and Word to the Wise generally agree that OpenDKIM does not directly sign the MAIL FROM address. This is because the MAIL FROM is created by the receiving server, not the sender, and is part of the SMTP envelope, separate from the email headers that DKIM signs. While the 'Sender' header can be signed, and some configurations might allow manipulation of the signing domain, it's not a standard practice. Using PowerMTA can force a domain for DKIM signing, but OpenDKIM doesn't have an obvious way to do this. Managing multiple DKIM keys in OpenDKIM allows selecting a key based on the 'From' address.
Key opinions
- MAIL FROM Creation: The MAIL FROM address is created by the receiving server, not the sender.
- DKIM Scope: DKIM primarily signs email headers and not the SMTP envelope (MAIL FROM).
- Sender Header: The 'Sender' header can be signed by adding it to the SignHeaders setting in OpenDKIM.
- PowerMTA vs. OpenDKIM: PowerMTA allows forced domain signing, which is less straightforward in OpenDKIM.
- Multiple Keys: OpenDKIM uses the key that matches the 'From' address when multiple DKIM keys are configured.
Key considerations
- DMARC Alignment: Be cautious about manipulating the signing domain, as it may lead to DMARC alignment issues.
- Standard Practices: Signing the MAIL FROM address isn't a standard practice and may not be advisable.
- Alternative Authentication: If MAIL FROM authentication is critical, consider alternative email authentication methods.
Expert view
Expert from Email Geeks explains that PowerMTA allows you to force set the d=domain for DKIM signing, but OpenDKIM might not have an obvious way to do so. Al suggests trying the _IdentityHeader_ setting in OpenDKIM, but ultimately advises against it due to potential DMARC alignment issues.
13 Aug 2023 - Email Geeks
Expert view
Expert from Email Geeks explains that you can't sign the MAIL FROM address directly with OpenDKIM because it's not a header created at the time of sending. It is created at the time of recipient server receipt.
21 Dec 2021 - Email Geeks
What the documentation says
5 technical articles
Technical documentation from OpenDKIM.org, RFC 4871, Postfix, dkimproxy, and Trusted Domain Project all confirm that OpenDKIM (and DKIM in general) does not directly sign the MAIL FROM address. The primary focus of DKIM is on signing email headers and the body content. The MAIL FROM address, also known as the Return-Path, is part of the SMTP envelope, which is separate from the message content that DKIM is designed to authenticate. While Postfix can integrate with DKIM tools, this integration does not extend to directly signing the MAIL FROM address without non-standard configurations.
Key findings
- DKIM Scope: DKIM primarily signs email headers and the email body.
- MAIL FROM Location: The MAIL FROM address is part of the SMTP envelope.
- SMTP Envelope Exclusion: The SMTP envelope is separate from the message content that DKIM signs.
- Postfix Integration: Postfix integrates with DKIM tools, but standard configurations don't sign the MAIL FROM address.
Key considerations
- Standard Practices: Direct signing of the MAIL FROM address is not a standard DKIM practice.
- Configuration Tweaks: Achieving something similar might require non-standard configuration tweaks.
- SMTP Transaction: Understand the differences between the SMTP transaction (where MAIL FROM resides) and the message content.
Technical article
Documentation from RFC 4871, which defines DKIM, explains that DKIM signatures apply to the header and body fields of a message. The MAIL FROM is part of the SMTP envelope, which is separate from the message content that DKIM signs.
2 Mar 2024 - RFC Editor
Technical article
Documentation from OpenDKIM.org explains that OpenDKIM primarily signs headers and the body of an email message, and typically does not directly sign the MAIL FROM (Return-Path) address, as this is generated during the SMTP transaction.
14 Feb 2023 - OpenDKIM.org
Are SPF, DKIM, and DMARC as important in B2B as in B2C email marketing?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF, DKIM, and DMARC email authentication standards work?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
How do you improve email deliverability by adding live text, sending printables, and focusing on engaged users?
