I'll try and keep this short and simple :)
/etc/opendkim.conf (as installed by Virtualmin) includes these lines :
Virtualmin adds 'Additional domains to sign for' to /etc/dkim-domains.txt. However, the 'Domain' parameter is ignored if a KeyTable is defined (source: http://www.opendkim.org/opendkim.conf.5.html).
Outbound emails are being incorrectly signed as follows :
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=*; s=myselector;
This causes DKIM to be invalid. The correct format should be like this :
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=myselector;
This appears to be caused by the following line in /etc/dkim-keytable :
Which should be like this :
Remove these two lines from /etc/opendkim.conf
This allows the 'Domain' parameter to work, so you can add manually add your domains as 'Additional domains to sign for' and they will be DKIM-signed correctly.
The problem is that Virtualmin will overwrite opendkim.conf and add the two lines back in, which disables the 'Domain' parameter.
Another workaround is to use a custom key by copying the key from /etc/dkim.key into Virtualmin > mydomain.com > Server Configuration > Domain Key Options, and do this for every domain on the system. This correctly adds a line to /etc/dkim-keytable as follows :
This is the best workaround because it doesn't get overwritten, but it does mean that you must manually add the custom key for every domain on the system.
This appears to be a bug in the currently Virtualmin implementation of OpenDKIM, so can you maybe take a look? Thanks.