Description

Referencing my review comment here, selector_map might be a good approach for automating generation of multiple DKIM selectors when necessary. It's unlikely our path convention would change, and as per the PR contribution, a standard path convention / template can use variables for the selector (with a default fallback) and domain.

# local.d/dkim_signing.conf
try_fallback = true;
path = "/tmp/docker-mailserver/dkim/keys/$domain/$selector.private";
selector_map = "/etc/rspamd/dkim_selectors.map";
selector = "mail";

• try_fallback = true; AFAIK is to permit fallback to that default selector variable.

• path is the template used, where $domain is the domain being handled (defaults to MIME From (message header), not SMTP From mail header (envelope sender) although you can configure for that), and $selector will either be mail from above, or changed to a matching selector if found in selector_map.

• A selector_map is just a key/value pair per line delimiting key/values by white-space. If a domain matches, it'll use that selector:

  example.com dkim-example
  another-domain.com another-selector
  

Additional Notes

I'm not 100% sure how that works for domains with multiple selectors available. Such as to support both RSA and ECC DKIM keys.

The path example uses the Docker config volume directly, but would probably be an internal location that the files are copied to. It's ideally unified with OpenDKIM config to share a common location for keys as these should technically be no different. It's a question raised by users several times about migrating to rspamd if they need to generate keys again or can use the same ones created for OpenDKIM without much friction.

• $domain is additionally derived from use_domain (what part of the mail to source the domain from, or a fixed domain)
• use_esld = true (_normalize domains to eSLD (effective second-level domain))
  • Drops any subdomains when matching DKIM configured domains to use by the sender domain received by mail to be conditionally signed.
  • Previously noted (and again) as potentially worth covering better in our docs.
• Both use_domain and use_esld contribute to defining the $domain variable:
  • Useful for more dynamic config: docs: Rspamd DKIM config simplify via path setting #3702 (comment)
  • Dynamically sourced from mail header by default: docs: Rspamd DKIM config simplify via path setting #3702 (comment)

The unified DKIM path and generation is related to #3630

UPDATE: Sep 2025 example reference (easy to adapt to using selector_map). I provide some useful insights there for reproduction/testing, along with noting that use_esld is specifically for domains in the public suffix list (PSL), which excludes .test.