way to be complex about it opendkim

roles/opendkim/files/KeyTable

@@ -0,0 +1,6 @@
+# OPENDKIM KEY TABLE
+# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
+# then uncomment the following line and replace example.com with your domain
+# name, then restart OpenDKIM. Additional keys may be added on separate lines.
+
+bastion._domainkey.fedoraproject.org fedoraproject.org:bastion:/etc/opendkim/keys/bastion.key

roles/opendkim/files/SigningTable

@@ -0,0 +1,28 @@
+# OPENDKIM SIGNING TABLE
+# This table controls how to apply one or more signatures to outgoing messages based
+# on the address found in the From: header field. In simple terms, this tells
+# OpenDKIM "how" to apply your keys.
+
+# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
+# then uncomment one of the usage examples below and replace example.com with your
+# domain name, then restart OpenDKIM.
+
+# WILDCARD EXAMPLE
+# Enables signing for any address on the listed domain(s), but will work only if
+# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
+# Create additional lines for additional domains.
+
+*@fedoraproject.org bastion._domainkey.fedoraproject.org
+*@lists.fedoraproject.org bastion._domainkey.fedoraproject.org
+*@stg.fedoraproject.org bastion._domainkey.fedoraproject.org
+
+# NON-WILDCARD EXAMPLE
+# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
+# wildcards will not work. Instead, full user@host is checked first, then simply host,
+# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
+# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
+# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
+# "SigningTable" for more details.
+
+#example.com default._domainkey.example.com
+

roles/opendkim/files/opendkim.conf

@@ -85,8 +85,7 @@ Canonicalization	relaxed/relaxed
 ##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
 ##  be verified rather than being signed. Uncomment and use your domain name.
 ##  This parameter is not required if a SigningTable is in use.
-Domain	fedoraproject.org
+# Domain	fedoraproject.org
-SubDomains yes
 
 ##  Defines the name of the selector to be used when signing messages.
 Selector	bastion
@@ -101,16 +100,16 @@ KeyFile	/etc/opendkim/keys/bastion.key
 ##  Gives the location of a file mapping key names to signing keys. In simple terms,
 ##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
 ##  directive in the configuration file. Requires SigningTable be enabled.
-# KeyTable	/etc/opendkim/KeyTable
+KeyTable	/etc/opendkim/KeyTable
 
 ##  Defines a table used to select one or more signatures to apply to a message based
 ##  on the address found in the From: header field. In simple terms, this tells
 ##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
-# SigningTable	refile:/etc/opendkim/SigningTable
+SigningTable	refile:/etc/opendkim/SigningTable
 
 ##  Identifies a set of "external" hosts that may send mail through the server as one
 ##  of the signing domains without credentials as such.
-# ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
+ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
 
 ##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
 InternalHosts	refile:/etc/opendkim/TrustedHosts

roles/opendkim/tasks/main.yml

@@ -11,6 +11,20 @@
   - config
   - base
 
+- name: install opendkim KeyTable file
+  copy: src=KeyTable dest=/etc/opendkim/KeyTable mode=644 owner=opendkim group=opendkim
+  tags:
+  - opendkim
+  - config
+  - base
+
+- name: install opendkim SigningTable file
+  copy: src=SigningTable dest=/etc/opendkim/SigningTabl mode=644 owner=opendkim group=opendkim
+  tags:
+  - opendkim
+  - config
+  - base
+
 - name: install opendkim trusted hosts file
   copy: src=TrustedHosts dest=/etc/opendkim/TrustedHosts
   tags: