DKIM passes even though domains don't match

Question

I'm trying to figure out how DKIM verification works.

My understanding so far has been that the domain inside DKIM-Signature header must match the domain inside From header in case for DKIM check to pass.

1. I configured the opendkim SigningTable all e-mails from lskdfjlsd.com domain with domain key from different domain:

*@lskdfjlsd.com default._domainkey.unrelateddomain.com

2. My KeyTable looks like this:

default._domainkey.unrelateddomain.com unrelateddomain.com:default:/etc/opendkim/keys/unrelateddomain.com/default

3. I send out e-mails with this:

echo "Hello world" | mail -s "Hello" -r [email protected] [email protected]

4. When I check the e-mail inside [email protected] I can see the DKIM check passed for the domain unrelateddomain.com - the content of the DKIM header and From field is:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unrelateddomain.com; s=default
From: [email protected]

And this is where my confusion stems from. The DKIM check says PASS for domain unrelateddomain.com but the From header clearly says it's originated from different domain. Based on this the https://mxtoolbox.com/dmarc/dkim/dkim-alignment I'd expect the DKIM check will fail.

I've tried to playing with domains and DKIM check always says PASS no mather if domains match or not.

Answer 1

The domain mentioned in the d= tag of the signature header tells the receiving server where to look for the public key to use, in the selector record. The s= tag tells it the name of the selector. The DKIM RFC does not require the FROM domain to be the same domain as the DKIM signature domain.

In fact, a message can be signed by multiple signatures from multiple domains, and often is. For example, a service like MailGun might add a DKIM signature for their domain, while enabling you to set up an additional DKIM signture for the domain you're sending From.

This is exactly why DMARC has been introduced, to require alignment between domains used in authentication technologies (SPF and DKIM) and the domain used in the FROM header. Because that is the main address shown in the email client facing the user.