DKIM with Postfix and OpenDKIM

Recently I had the requirement to supply a mailserver with DKIM (DomainKeys Identified Mail) based on Postfix in a Debian style Linux. I did this as described in the following documentation.

1. Installing OpenDKIM

OpenDKIM is usually available as package and can be installed with apt:

apt-get install opendkim opendkim-tool

2. Configuration

The following configuration is suitable for using multiple domains. I generally recommend this way even if you just have one domain on the server so you can easily add more domains later if required.

2.1 General settings of OpenDKIM

The configuration of OpenDKIM is don in the file /etc/opendkim.conf. This should contain the following entries:

Syslog			yes
UMask			002
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              yes
OversignHeaders		From
KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts

The folder /etc/opendkim has to be created if it does not exist yet.

2.2 Connection between OpenDKIM and Postfix

In the file /etc/default/opendkim add the following entry:

SOCKET="inet:8891@localhost"

This tells the OpenDKIM daemon to accept local connections on port 8891. Accordingly you add the following section in /etc/postfix/main.cf to use OpenDKIM als Mailfilter:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Note: if port 8891 is already in use by other applications you can of course use another port as well. Just remember to change the port number in OpenDKIM and Postfix.

2.3 OpenDKIM domain configuration

Now create a file /etc/opendkim/TrustedHosts with the following entries:

127.0.0.1
localhost
192.168.1.1
example.com

Instead of 192.168.1.1 and example.com use the public IP address and the name of your own domain for which you want to set up DKIM. If there are multiple IP addresses and domains add them all here accordingly.

2.4 Key for one domain

First create a folder for the public and private key and generate the keys using the following commands:

mkdir -p /etc/opendkim/keys/example.com
cd /etc/opendkim/keys/example.com
opendkim-genkey -r -d example.com

Instead of example.com use the real name of the domain.

Then you have to change the owner of the file with the private key to OpenDKIM:

chown opendkim.opendkim /etc/opendkim/keys/example.com/default.private

The key can then be added in the file /etc/opendkim/KeyTable as following:

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private

Finally you also add it in the file /etc/opendkim/SigningTable as following:

example.com default._domainkey.example.com

2.5 Add a DNS entry for one domain

To make it possible for recipients to check the DKIM signatures the public key has to be added as an additionel TXT entry for the domain in the nameserver. This entry can be found in the file /etc/opendkim/keys/example.com/default.txt and should look like this (shortened here):

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA...DAQAB"

Depending on how you edit the DNS entires you can either use this entry as it is as additional entry in the DNS configuration for the respective domain or you have to add a TXT record with the name default._domainkey and as content everything inside the quotes – which means beginning with v=DKIM; k=rsa; p=.

You can check the successful change with “MxToolbox” at https://mxtoolbox.com/dkim.aspx. As “Selector” enter default. Keep in mind that changes in DNS records may need some time to be visible world wide.

3. Restart the server and test it

After completing the configuration restart the services opendkim and postfix.

On the web site http://dkimvalidator.com you get a temporary e-mail address to which you can send a test message and then view the headers and the test result there as soon as the message arrived.

Leave a Comment

Your email address will not be published. Required fields are marked *