From a8938e107e2381c721e6880c70a0acf575404da0 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 10 May 2014 11:42:27 +0000
Subject: [PATCH] DKIM: For the benefit of ADSP and DMARC (not yet impl), each
 sending domain should be its signing domain

---
 scripts/dns_update.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/dns_update.sh b/scripts/dns_update.sh
index 79c94c6b..8aa5de54 100755
--- a/scripts/dns_update.sh
+++ b/scripts/dns_update.sh
@@ -108,13 +108,13 @@ EOF
 	# email addresses to signing information. The KeyTable maps specify the hostname,
 	# the selector, and the path to the private key.
 	#
-	# Just in case we don't actually host the DNS for all domains of our mail users,
-	# we assume that DKIM is at least configured in the DNS of $PUBLIC_HOSTNAME and
-	# we use that host for all DKIM signatures.
+	# DKIM ADSP and DMARC both only support policies where the signing domain matches
+	# the From address, so the KeyTable must specify that the signing domain for a
+	# sender matches the sender's domain.
 	#
 	# In SigningTable, we map every email address to a key record called $zone.
 	# Then we specify for the key record named $zone its domain, selector, and key.
-	echo "$zone $PUBLIC_HOSTNAME:mail:$STORAGE_ROOT/mail/dkim/mail.private" >> /etc/opendkim/KeyTable
+	echo "$zone $zone:mail:$STORAGE_ROOT/mail/dkim/mail.private" >> /etc/opendkim/KeyTable
 	echo "*@$zone $zone" >> /etc/opendkim/SigningTable
 
 done