From 1a3a618a304b1573b5da62754a04f2c6aca147fc Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun, 16 Nov 2025 14:44:28 +0100
Subject: [PATCH] rspamd: fix DKIM signing for subdomains

With the eSLD normalization feature in rspamd subdomains actually use the
DKIM key for their parent domain, which simplifies the setup if you serve
multiple subdomains.

We however currently create DKIM key pairs for every given domain
name, no matter if it is a second-level domain or subdomain for one, so
disabling eSLD normalization aligns with the current intent behind our
configuration.

In the future it would be nice if we could reuse the parent domain DKIM
key for all its subdomains, but that requires some thought on how to
achieve that normalization in nixos-mailserver first.
---
 mail-server/rspamd.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index ab46750..d7c8c4f 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -128,6 +128,7 @@ in
                 ${lib.optionalString (cfg.dmarcReporting.excludeDomains != [ ]) ''
                   exclude_domains = ${builtins.toJSON cfg.dmarcReporting.excludeDomains};
                 ''}
+                use_esld = false;
               }''}
           '';
         };