Emails not DKIM signed when email address domain differs from the mail server's domain

My setup:

Server 1 (CPanel):
Domain: domain.tld
MX: mail.domain.tld
Email: [email protected]

Server 2 (HestiaCP 1.7.2):
Domain: sub.domain.tld
MX: mail.sub.domain.tld

I have added server 2’s SPF and DKIM records to server 1’s DNS zone, however if I want to use Server 2’s mail server (mail.sub.domain.tld) to send emails using the [email protected] email address the header does not have a DKIM signature.

I’m not sure if this is configured intentionally on Hestia CP, but before when Server 2 used CPanel it worked and I could send DKIM signed emails using the [email protected] email address from the mail.sub.domain.tld mail server.

Can I make any changes to exim to DKIM sign emails sent from [email protected] using the mail.sub.domain.tld mail server?

Use SMTP relay otherwise it is not possible

Thanks for the reply.

Yes, for a test I hardcoded the exim config file to use the mail.sub.domain.tld dkim.pem file to sign the [email protected] email and it failed the dkim test which is worse than not having a dkim signature.

I restored the exim config to the default one and added the Amazon SES SMTP credentials to the SMTP Relay field for the sub.domain.tld domain, but emails are still sent using the local mail server and not via Amazon SES. I tested the Amazon SES SMTP and it works, but am I doing somthing wrong with the SMTP Relay setup?

As I no longer visit this forum frequently, I answer to your post as it appears some confusion.

You can sign any domain and any subdomain and have any ip address between the two.

You simply need to have correct TXT entries in the DNS. That is one of the most simple thing and all DKIM test will pass.

But this is difficult to understand, for less experienced admins, if doing this for the first time.

I have never used SMTP relay since years and am using since decades a subdomain setup for multiple email servers on subdomains.

The only nonsense is the extra-ordinary hard coding of “mail” that is based on for everything that makes remaining complicated as it does not offer a choice like when you create a domain.

Was that your problem?

I never managed to get SMTP relay or signing of the emails to work.

Signing emails on an email subdomain server is one of the easiest thing.

You simply add a TXT record in DNS (in relating to an email subdomain server) with all entries by adding the subdomain part at the end of every TXT-key you may have added in the same manner for every main domain.

For example you have for main domain:


Then you have for subdomain called “” like this:


In the DNS, you simply copy the key (mail._domainkey) generated by Hestia in the DNS record of the mail domain in any external DNS provider, if you are using one. If you use Hestia DNS, you simply have to rename to above. Only after renaming - as suggested above for a subdomain -, the Nameserver (local or remote) will begin to answer DNS queries.

The same you need to do for DMARC and SPF. After doing this three elements of TXT in DNS, you will not have any problems with signing.

Its very simple.

By creating hard-coded subdomain structure by “mail”, youngsters in this coding group of Hestia have pumped multiple problems in many areas. This is one of them.

Thanks for emphasising three times how it’s the easiest thing in the world, I get it. BUT IT DOES NOT WORK IN HESTIA.

Ok, then I must add that I am using DNS from Cloudflare. Before many years, or in earlier days, I applied these changes based on an explaination in Stack overflow.

And adding to this, I never dared or cared to test DNS based on hestia/named.

Named will simply capture the config files locally and if it contains a subdomain addition after the selector._domainkey in the TXT entry, it will process accordingly. Hestia has not much to do with it.

If you say you tried my solution and it did not work, then you may be right.