From cbdf90f639660981a55bbf6af86e6cc5f13d2752 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 16 Nov 2025 19:28:19 +0100 Subject: [PATCH] rspamd: fix DKIM signing for subdomains With the eSLD normalization feature in rspamd subdomains actually use the DKIM key for their parent domain, which simplifies the setup if you serve multiple subdomains. We however currently create DKIM key pairs for every given domain name, no matter if it is a second-level domain or subdomain for one, so disabling eSLD normalization aligns with the current intent behind our configuration. In the future it would be nice if we could reuse the parent domain DKIM key for all its subdomains, but that requires some thought on how to achieve that normalization in nixos-mailserver first. Reapplies 1a3a618a304b1573b5da62754a04f2c6aca147fc to the correct configuration file. --- mail-server/rspamd.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix index 1d0136f..ee48b28 100644 --- a/mail-server/rspamd.nix +++ b/mail-server/rspamd.nix @@ -114,7 +114,9 @@ in path = "${cfg.dkimKeyDirectory}/$domain.$selector.key"; selector = "${cfg.dkimSelector}"; # Allow for usernames w/o domain part - allow_username_mismatch = true + allow_username_mismatch = true; + # Don't normalize DKIM key selection for subdomains + use_esld = false; ''; }; "dmarc.conf" = {