Is it possible to sign the MAIL FROM address using OpenDKIM?

Key findings

• Mail From vs. Header From: The MAIL FROM address is an SMTP envelope address, primarily used for bounce handling (Return-Path), whereas the 'From' header is what users typically see.
• DKIM Focus: OpenDKIM, in line with RFC specifications, is designed to sign email headers, not the SMTP envelope MAIL FROM address.
• DMARC Alignment: For DMARC to pass, the domain in the 'From' header (RFC5322.From) must align with the domain signed by DKIM, not necessarily the MAIL FROM (RFC5321.From or Return-Path) address. Learn more about DKIM alignment for DMARC compliance.
• Alternative Solutions: Some specific MTAs (Mail Transfer Agents) like PowerMTA might offer features to manipulate the signing domain, but this isn't standard OpenDKIM functionality for the MAIL FROM.
• Configuration for Headers: OpenDKIM allows you to specify which headers to sign using the SignHeaders setting in opendkim.conf, including the 'Sender' header.

Key considerations

• Adherence to RFCs: Modifying default DKIM behavior to sign the MAIL FROM directly is not aligned with RFC 4871 and could lead to unexpected deliverability issues.
• Deliverability Impact: Prioritize proper DKIM signing of the 'From' header and SPF alignment for the MAIL FROM domain to ensure high email deliverability and domain reputation.
• Configuration Complexity: Attempting to force OpenDKIM to sign in a non-standard way can introduce significant complexity and require extensive testing, often without a beneficial outcome.
• Client Requirements: If a customer requires a specific signing behavior, it is crucial to educate them on DKIM standards and the implications for deliverability, guiding them toward solutions that maintain good email hygiene.

Key opinions

• Client Demands: Marketers frequently face pressure from clients who may have specific, non-standard requirements for DKIM signing, such as signing with a domain they control, even if it's not the primary sending domain.
• PowerMTA Capabilities: Some platforms, like PowerMTA, are noted for their advanced configuration options that allow for more granular control over DKIM signing, including forcing the 'd=' domain in the signature.
• OpenDKIM Limitations: OpenDKIM is perceived as less flexible than some commercial MTAs when it comes to unconventional signing scenarios, particularly concerning the MAIL FROM address.
• Importance of 'From' Header: The 'From' header (RFC5322.From) is recognized as the critical component for DKIM alignment, especially concerning DMARC.

Key considerations

• Educating Clients: It's essential to explain the technical realities of DKIM and DMARC alignment to clients to ensure they understand why certain signing configurations are necessary for deliverability.
• Avoiding DMARC Failures: While some configurations might technically be possible with specific MTAs, they often lead to DMARC failures if not properly aligned, negatively impacting inbox placement. This is particularly important for marketers dealing with DMARC failures due to lack of DKIM signing.
• Simplicity vs. Customization: For OpenDKIM users, adopting a simpler strategy like signing all domains with the same key can ease management, even if it means more keys to rotate, as described by some experts for postfix configurations.
• Subdomain Strategy: Consider if setting up DKIM on a subdomain is a viable strategy for handling different sending needs while maintaining alignment.

Key opinions

• RFC Compliance: Experts concur that RFC 4871 explicitly states the MAIL FROM/Return-Path address should not be part of the DKIM signature.
• SMTP Transaction vs. Header: The MAIL FROM address is transmitted during the SMTP transaction and only appears as the Return-Path header upon recipient server receipt, making it unsuitable for DKIM signing at the sender's end.
• Direct Header Signing: OpenDKIM's primary function is to sign actual email headers such as 'From', 'To', 'Subject', and 'Sender', using the SignHeaders setting.
• Alignment Risks: Attempts to override standard signing behavior, even with MTAs like PowerMTA that offer such options, will likely lead to DMARC failures due to misaligned domains.
• Multiple DKIM Keys: OpenDKIM can manage multiple DKIM keys, automatically selecting the appropriate key based on the 'From' address, simplifying setup for multiple domains on a single server, as detailed by Al Iverson on Spam Resource.

Key considerations

• Best Practices: Sticking to standard DKIM signing of message headers is crucial for reliable email deliverability and authentication. Deviating from these practices creates unnecessary complexity and risk.
• Configuration Complexity: Implementing non-standard signing requires significant effort in configuration and testing, often without yielding positive results for deliverability. This also affects how different mail from headers and domains are handled.
• SPF and DKIM Alignment: Even with dual signing or specific MTA configurations, ensuring both SPF and DKIM align with the 'From' header domain remains paramount for DMARC to pass. Our guide to DMARC, SPF, and DKIM provides a good overview.
• System Choice: The choice of MTA (e.g., Postfix vs. PowerMTA) impacts the flexibility of DKIM configurations, with OpenDKIM integrating as a milter in systems like Postfix.

Key findings

• RFC 4871 Directives: According to RFC 4871, the MAIL FROM (or Return-Path) address is specifically excluded from the cryptographic hash used for DKIM signatures, as it is part of the SMTP envelope and not a message header.
• Header Signing Purpose: DKIM is primarily designed to verify the integrity and authenticity of email headers and, optionally, the message body, protecting them from tampering during transit.
• OpenDKIM Configuration: OpenDKIM configurations typically involve specifying a list of headers to be signed using the SignHeaders directive in its configuration file, reinforcing that it operates on headers.
• Milter Integration: OpenDKIM integrates with MTAs like Postfix via a milter interface, allowing it to process and sign messages as they pass through, but still within the context of message headers.

Key considerations

• Standard Compliance: Adhering to RFCs and standard OpenDKIM configurations is critical for ensuring that DKIM signatures are correctly generated and validated by receiving mail servers worldwide.
• DMARC Implications: DMARC requires alignment between the 'From' header and either the SPF domain (MAIL FROM) or the DKIM signing domain. Deviating from standard DKIM practices for the 'From' header will almost certainly lead to DMARC failures.
• DomainKeys vs. DKIM: While DomainKeys (the predecessor to DKIM) had some different nuances, the current standard (DKIM) focuses on header signing. Understanding DomainKeys and their relevance can provide historical context but modern implementations should follow DKIM.