Can you assist me in crаcking the nut on this issue?

We've got a corporate email setup @xхx.com, hosted on Google's PDD, where employees send emails via mail clients or the web interface.

There's also a third-level domain yyy.xхx.com, which auto-sends order updates and other notifications from a PO box tied to the main domain (xхx.com).

The challenge is to get emails signed with a DKIM signature when sent via the web interface/mail clients and the site. Signing emails sent via mail clients/web interface is a breeze, as Google provides a public DKIM key that needs to be added to the domain's DNS record.

The real question is: how do we get emails sent from the yyy.xхx.com site, using Postfix and openDKIM, to bear a DKIM signature? Do we need to generate a public/private key pair using Postfix and add a second public key to the domain's DNS record, or is there a more streamlined approach?

To get your emails from yyy.xхx.com signed with DKIM using Postfix and OpenDKIM, you will indeed need to generate a separate public/private key pair specifically for the subdomain. This means setting up OpenDKIM to handle the signing process for your outgoing emails from yyy.xхx.com. After generating the key pair, you'll need to publish the public key in the DNS records for yyy.xхx.com.

This approach is necessary because Google's DKIM settings will not cover emails sent from your own Postfix server. It's crucial to ensure that your mail server is properly configured to use OpenDKIM, including the necessary alignment of SPF and DMARC records to avoid deliverability issues.

Here's the lowdown: when it comes to automated email sends from a domain, there's a disconnect - specifically, which exact address is the mail being sent from, @yyy.xхx.com or @xхx.com?

In the grand scheme of things, email systems suggest setting up a dedicated subdomain for auto-mailed messages, like @robot.xхx.com. This way, there's no signature conundrum, as we generate keys on the server and set up the signature on Postfix.

However, if you're looking to send signed emails from @xхx.com, which is linked to PDD, you'll need to route it through Google's servers.

Hey, don't forget to secure your email setup with SPF, or you might end up with a bunch of spammy emails in your inbox. I've got a sweet setup going on, using Google Apps for my mailboxes and Mandrill for my mailing needs. I've got DKIM set up on both, and it's a real game-changer. My emails are now fully authenticated and deliverable, no more pesky spam filters getting in the way. It's all about maintaining a solid DMARC posture.