Spamfilter and DKIM with rspamd

Recently a major update of the server enviroment was needed on which I also run a mail server. I took this as an opportunity to try rspamd as alternative to the combination of SpamAssassin and amavisd-new and can fully recommend this.

Main features of rspamd:

  • Web UI with status information and for easy configuration changes.
  • Up to 10× faster than SpamAssassin (also see the explanation at rspamd).
  • Direct integration as milter in Postfix which allows to scan e-mail during delivery so they can actively rejected or delayed using greylisting if needed.
  • Optional DKIM signatures for outgoing e-mail.

Integration in ISPConfig

Since the users of the server should be able to manage their e-mail accounts on their own in an easy way I use ISPConfig. ISPConfig also supports rspamd instead of SpamAssassin. The change is not very hard to do and you can find a tutorial for this at HowtoForge.

Update Sieve rules for the junk folders

Depending on how long you’ve been using ISPConfig already it may be neccessary to disable and enable the option to move spam e-mails to the junk folder once (save the setting after each change) to update the Sieve rules for Dovecot. This will make sure that spam will be moved to the junk folder. Current versions of ISPConfig will create rules which work with SpamAssassin as well as with rspamd.

It is also possible to configure rspamd to add the same header for spam as SpamAssassin – however I prefer to change as little as possible compared to the defaults.


ISPConfig also supports using DKIM for outgoing e-mails in the settings of the respective mail domain. In my case this needed a number of additional customizations to make this work properly.

The path for the DKIM keys has to be entered in the server configuration (System → Server Config → Mail) and should be /var/lib/rspamd/dkim. You should also increase the key strength from 1024 to 2048 bits.

In addition you have to create the file /etc/rspamd/local.d/dkim_signing.conf with the following content:

try_fallback = false;
path_map = "/etc/rspamd/local.d/";
selector_map "/etc/rspamd/local.d/";

After this you have to restart rspamd:

systemctl restart rspamd

This makes sure that rspamd can load the DKIM keys, will use the correct selectors and will only create signatures for e-mails for whose sender domains DKIM has been activated in ISPConfig.

After this you can create a key pair for every mail domain where you want to use DKIM – first without “enable DKIM”!

The shown TXT record with the public key has to be added to the respective nameserver. Bevor you activate DKIM you should first make sure that the public DKIM key is available, for example with Depending on the configured TTL this may take from a  couple of hours up to  a day. Before this works you should not enable DKIM for outgoing e-mails!

When the DKIM public key works you can finally enable DKIM in ISPConfig by checking “enable DKIM” in the mail domain and saving the settings. ISPConfig will then write the key of the domain to /var/lib/rspamd/dkim and will update the domain and selector map in /etc/rspamd/local.d/ and /etc/rspamd/local.d/

To test the correct function you can use one of the following web sites:

For Thunderbird there is an AddOn “DKIM Verifier” which you can use if you send yourself an e-mail for testing.

Add additional mail headers with test results

It is helpful to see why an email was classified as spam (X-Spam: Yes in the header) or not. To activate the additional headers with detailed test results you have to create the file /etc/rspamd/local.d/milter_headers.conf with the following content:

extended_spam_headers = true
skip_local = false
skip_authenticated = true

In the mail header X-Rspamd-Server: rspamd adds the automatically detected host name of the server. If needed you can override this name manually by adding the following section in the configuration file:

routines {
  x-rspamd-server {
    hostname =

Instead of you have to use the name of your server of course.

After that you need to restart rspamd as described above.

You will find more information about the configuration in the documentation of rspamd.

Practical experience after 6 months

rspamd turned out to be a very reliable solution. Especially the fact, that spam can be rejected already during a delivery attempt is quite convenient as this saves checking the spam folder on a regular basis.

If legitimate senders got rejected by accident you can add them to the whitelist of ISPConfig. Changes in the settings or the filter rules of rspamd can be done in the web UI while the service is unning which is also an advantage compared to SpamAssassin.

2 thoughts on “Spamfilter and DKIM with rspamd”

  1. Hello .. first of all, thank you for sharing your experience with rspamd. I have a query .. the report in the GUI shows me that it is not adding headers to the mails, and I am looking if it is necessary to add any in particular for the BIMI standard. have you been working with this standard?
    thanks in advance for the time, the site is very good.
    Greetings, Andres.

    1. Arno Welzel

      No, I have not been working with BIMI yet.

      According to BIMI seems to be a combination of implementing DMARC and adding a TXT record for the sender domain to serve the brand logo for clients which support this.

Leave a public comment

Your email address will not be published. This is not a contact form! If you want to send me a personal message, use my e-mail address in the imprint.

You can use the following HTML tags in the comment:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>