DKIM copy from other server


I would like to copy the dkim private key from our webserver to Nethserver.

Currently only inbound mails are hosted locally on Nethserver, we use our shared hosting server for outgoing e-mail, but having issues with the IP going to spam lists. Therefore I would move the mailing completely to Nethserver, but keeping eShop mails (sent by the website) on the shared hosting (later it will be moved to a VPS, but now I do not time to set it up).

If I simply overwrite /etc/opendikm/keys/default.private with the one that I can donwload from cpanel on the shared hosting, that could work after a simple restart?

the reason I am afraid is that the length looks half of what is Nethserver’s default (2048 vs 1024?), so possibly some configs needs to be changed too for correct operation?

Thank you for your feedback in advance!

What I understood, you could move the existing key to the new server, but you will have to edit the dkim keysize so Nethserver accepts 1024-bit DKIM keys. Be aware that 1024-bit keys are not considered safe by many providers. I don’t know what will happen if the NethServer mail module gets an update, will the DKIM key revert to 2048-bit?
I would recommend to recreate a DKIM key and make it a 2048-bit one, as used by NethServer.

Dont’ forget SPF!

Thanks for the feedback both of you!

I will consult with the hosting provider about they key size, only they can generate it.

SPF is alreay set, that is the smallest problem… (also PTR is being set right now)

Also thinking about to make a domain for transactional e-mail address, with a redirect to the main e-mail address in case anyone replies. So two DKIM records could be used for the different domain. But overall it would be great if we could switch between the two SMTP server if anything happens for any of the two (unavailable or spammed).

The minimum size of keys is 1024 bits, but keys generated by NethServer default to 2048 bits. From a security point of view, Rob’s advice stands.

Hi Károly,

In the DNS mail record, adjut the priority of the main one to 10 and the second one to 20.

The MX record preference is used when more than one MX record is entered for any single domain name that is using more than one mail server. In this case the preference number indicates the order in which the mail servers should be used. This enables the use of primary and backup mail servers.

The lower preference number is the higher priority. Two MX records with the same priority will share the workload (typically used in large ISP mail server installations). The server with the higher preference number will be contacted only if the servers with lower preference number are unavailable (this is typically used for backup mail servers).


Alright, we got a new 2048 key from the hosting provider.

Copied the private key to /etc/opendikm/keys/default.private and it validates (after turning off the relay/smart host), so it looks good.

Waiting for the PTR record to move completely.

ps: MX record was set for 10-90 previously, and it works fine as a backup (well, actually as a spam destination as NS rSpamd works like magic, except some soft-rejects for unknown reason)… The problem is that, while we can get those messages by the connector, all users needs to be added manually due to no LDAP on the webserver host. Mayve I will make an LDAP connection for the new VPS, or just forget the backup incoming server thing altogether, important messages will be delivered anyway, possibly with some delay.