Recently I had the requirement to supply a mailserver with DKIM (DomainKeys Identified Mail) based on Postfix in a Debian style Linux. I did this as described in the following documentation.
1. Installing OpenDKIM
OpenDKIM is usually available as package and can be installed with apt:
apt-get install opendkim opendkim-tool
The following configuration is suitable for using multiple domains. I generally recommend this way even if you just have one domain on the server so you can easily add more domains later if required.
2.1 General settings of OpenDKIM
The configuration of OpenDKIM is don in the file
/etc/opendkim.conf. This should contain the following entries:
Syslog yes UMask 002 Canonicalization relaxed/simple Mode sv SubDomains yes OversignHeaders From KeyTable /etc/opendkim/KeyTable SigningTable /etc/opendkim/SigningTable ExternalIgnoreList /etc/opendkim/TrustedHosts InternalHosts /etc/opendkim/TrustedHosts
/etc/opendkim has to be created if it does not exist yet.
2.2 Connection between OpenDKIM and Postfix
In the file
/etc/default/opendkim add the following entry:
This tells the OpenDKIM daemon to accept local connections on port 8891. Accordingly you add the following section in
/etc/postfix/main.cf to use OpenDKIM als Mailfilter:
milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Note: if port 8891 is already in use by other applications you can of course use another port as well. Just remember to change the port number in OpenDKIM and Postfix.
2.3 OpenDKIM domain configuration
Now create a file
/etc/opendkim/TrustedHosts with the following entries:
127.0.0.1 localhost 192.168.1.1 example.com
example.com use the public IP address and the name of your own domain for which you want to set up DKIM. If there are multiple IP addresses and domains add them all here accordingly.
2.4 Key for one domain
First create a folder for the public and private key and generate the keys using the following commands:
mkdir -p /etc/opendkim/keys/example.com cd /etc/opendkim/keys/example.com opendkim-genkey -r -d example.com
example.com use the real name of the domain.
Then you have to change the owner of the file with the private key to OpenDKIM:
chown opendkim.opendkim /etc/opendkim/keys/example.com/default.private
The key can then be added in the file
/etc/opendkim/KeyTable as following:
Finally you also add it in the file
/etc/opendkim/SigningTable as following:
2.5 Add a DNS entry for one domain
To make it possible for recipients to check the DKIM signatures the public key has to be added as an additionel TXT entry for the domain in the nameserver. This entry can be found in the file
/etc/opendkim/keys/example.com/default.txt and should look like this (shortened here):
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA...DAQAB"
Depending on how you edit the DNS entires you can either use this entry as it is as additional entry in the DNS configuration for the respective domain or you have to add a TXT record with the name
default._domainkey and as content everything inside the quotes – which means beginning with
v=DKIM; k=rsa; p=.
You can check the successful change with “MxToolbox” at https://mxtoolbox.com/dkim.aspx. As “Selector” enter
default. Keep in mind that changes in DNS records may need some time to be visible world wide.
3. Restart the server and test it
After completing the configuration restart the services opendkim and postfix.
On the web site http://dkimvalidator.com you get a temporary e-mail address to which you can send a test message and then view the headers and the test result there as soon as the message arrived.