Default variable details

some of debops.opendkim default variables have more extensive configuration than simple strings or lists, here you can find documentation and examples for them.


Configuration of the opendkim__*_config variables is described in a separate document, Default variable details: opendkim__config.


The opendkim__*_keys variables define what DomainKeys are created and used by OpenDKIM. The private keys are generated on the Ansible Controller (the python-openssl package is required), stored in the secret/opendkim/domainkeys/ directory (see debops.secret role for details) and copied to the remote hosts. The role can install the same private key on multiple hosts, which can be useful in environments with multiple SMTP servers handling the same domains.

You can use the secret/opendkim/lib/extract-domainkey-zone Bash script to get the DomainKey public keys which then need to be configured in your DNS zone.

Each list element is either a string that represents the DomainKey selector for the current host domain, or a YAML dictionary with specific parameters:

name or selector
Required. The DomainKey selector used for this DomainKey.
Optional. The DNS domain which will use this DomainKey. If not specified, opendkim__domain will be used by default.
Optional. The size of the autogenerated RSA private key. If not specified, opendkim__default_key_size will be used.
Optional. The private key style (rsa or dsa) which should be generated by the openssl command. Currently only rsa makes sense.
Optional. If not defined or present, the key will be generated on the Ansible Controller and copied to the remote hosts. If absent, key still will be generated, but it will be not copied, and existing private key will be removed from the remote hosts.


Create two DomainKeys for the current domain:


  - 'selector1'
  - 'selector2'

They will be placed in the DNS database as:

Create a DomainKey for a different domain:


  - name: 'mail'
    domain: ''


The opendkim__*_signing_table variables define a mapping between the contents of the From: header field in a mail message and the DomainKey used to sign the message. The format of the From: header interpreted by OpenDKIM depends on the type of the table used (see opendkim.conf(5)). The role by default maps the entire domain, without specifying any users.

Each list entry is a YAML dictionary with specific parameters:

name or selector
Required. Specify the DomainKey selector to use for a given signing table entry.
Required. Specify the contents of the From: header used to lookup the DomainKey. By default you should use only domain names here, otherwise you need to reconfigure the SigningTable configuration option. See opendkim.conf(5) for details.
Optional. The DNS domain used to lookup the DomainKey for a given signing table entry. If not specified, the opendkim__domain value is used by default.
Optional, boolean. If True, the from value will be added again with a leading dot (.), which signifies that subdomains of a given domain should also be signed. By default subdomains are not signed.
Optional. if not specified or present, a given entry will be included in the signing table. If absent, a given entry will not be included in the configuration.


Sign mails from a given domain and its subdomains with the default DomainKey:


  - name: 'mail'
    from: ''
    domain: '{{ ansible_domain }}'
    subdomains: True


The opendkim__*_trusted_hosts variables are YAML lists which contain IP addresses, CIDR subnets and hostnames of "trusted hosts". These hosts will be stored in the /etc/opendkim/dkimkeys/TrustedHosts file which is by default used in the OpenDKIM configuration by the InternalHosts and ExternalIgnoreList options. Mail messages from these hosts will be automatically signed rather than verified by OpenDKIM.


Trust localhost and a given subnet:


  - 'localhost'
  - ''
  - '::1'
  - ''
  - '2001:db8::/32'