DKIM is the abbreviation for Domain Keys Identified Mail and is used to allow senders to authenticate their emails by including a digital signature in the email header. DKIM uses public-key cryptography to verify that an email message was sent from an authorized mail server.
If you are on a Debian distribution (Mint, Ubuntu), apt-get install can be used to install OpenDKIM. If you are on a Red Hat distribution (CentOS, Fedora, Red Hat), dnf install or yum install can be used.
dnf install opendkim
Use the opendkim-genkey command to create the private key. "selector" should be something unique.
opendkim-genkey --bits 2048 --domain example.com --directory /etc/opendkim/keys/ --selector default
Update the .private and .txt files to be owned by opendkim.
- In this example, the files are default.private and default.txt since the "selector" in the prior command was "default"
chown opendkim /etc/opendkim/keys/default.private
chown opendkim /etc/opendkim/keys/default.txt
chgrp opendkim /etc/opendkim/keys/default.private
chgrp opendkim /etc/opendkim/keys/default.txt
/etc/opendkim/keys should now have the following.
~]$ ls -l /etc/opendkim/keys/
-rw------- 1 opendkim opendkim 1675 Dec 29 11:34 default.private
-rw------- 1 opendkim opendkim 496 Dec 29 11:34 default.txt
Update /etc/opendkim.conf file to have the following directives.
- replace "example.com" with your domain name
- In this example, /etc/opendkim/keys/default.private is used since /etc/opendkim/keys/default.private is the private key
Mode sv
Domain example.com # replace example.com with your actual domain name
KeyFile /etc/opendkim/keys/default.private
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
RequireSafeKeys False
Update /etc/opendkim/TrustedHosts to include your domain name.
- replace "example.com" with your domain name
127.0.0.1
::1
example.com
Update /etc/opendkim/SigningTable to have your domain.
- replace "example.com" with your domain name
- In this example, "default" is used since /etc/opendkim/keys has default.private and default.txt.
*@example.com default._domainkey.example.com
Update /etc/opendkim/KeyTable with your domain.
- replace "example.com" with your domain name
- In this example, "default" is used since /etc/opendkim/keys has default.private and default.txt.
default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
The /etc/opendkim/keys/default.txt file should contain something like this.
~]$ cat /etc/opendkim/keys/default.txt
default._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjJDK89vmfjd8d79w0BAQEFAAOCAQ8AMIIBCgKCAQEAwAfFudpVW8ieZDGcPHBgqRo85n3VrM7QCjOGgIokjRroE7ZdRamzHWIBye9kRP/c5emS2YkakdR2r0tc2uPba6IpQb39VOjdBmVLRlTRMffBGRB+Copx5I7dFe2y36k33lv8d2sZjlXZCE8QDYSGI07h5HNjfx+3pHtX2/ldarcmTTqmibx/myc5B+11u0+eXo9PSDFLb9fusdflf"
"Vmdjv8dhmdT6OYEzMSJKgBWiazCh/R/WHKZU9pn4Lh7r8oH3zCw72AUOneWu5ApdbqH+B4oC/Lfs0rOojGTxuMKTsq1XPZV04dx7+WUdHfH7O2+DjDJvy9J/DmF+x9Ng9U3o7fh48fm98" ) ; ----- DKIM key mail for example.com
I use this command to clean up the output to be properly formatted.
~]$ cat /etc/opendkim/keys/default.txt | sed ':label; N; $! b label; s|\n||g' | sed 's|.*p=|"v=DKIM1; k=rsa; p=|' | sed 's|).*||' | sed 's|"[[:space:]]\+"||g'
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/Nfuo5FmBkOUk1MbL7kFYpEq37a+SoKnGNrS0lFOfBwoIshRAOij+Pd4Zha4pR2f5f/feF5jMgdDBu+XUV9rsKrTrEN6POivzRuq5nN04fc1WscM9A7wZUWqAe6TYpLItZpxsEUBY6t9TwEr3R7q/3gPG1t5aV2+NqSw9BOTY1cGNDhyM37Oj3NA5v4dqnnizwUNz9yaZMD7Wrfk57PKMv5ArDeL++q0VkfhVxeA9s8OeA0v7es2x0Vn2aWz1vGplJcy8FYs/JkeZbhCtmsg/VPcTuTmM8GbG1sKBk5mah5DyFlaWot1e5GAALph1SHetm1ExZm/AjYtiKh/6ZBaQIDAQAB"
Update the .zone file in the DNS server to contain the output of the default.txt file.
- v = DKIM version
- k = key type (e.g. RSA)
- p = public certificate
- h = algorithm (e.g. SHA256)
The dig command can be used to verify the DNS server has the DKIM TXT.
~]$ dig default._domainkey.example.com TXT
;; ANSWER SECTION:
default._domainkey.example.com. 86400 IN TXT "v=DKIM1; h=sha256; k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/Nfuo5FmBkOUk1MbL7kFYpEq37a+SoKnGNrS0lFOfBwoIshRAOij+Pd4Zha4pR2f5f/feF5jMgdDBu+XUV9rsKrTrEN6POivzRuq5nN04fc1WscM9A7wZUWqAe6TYpLItZpxsEUBY6t9TwEr3R7q/3gPG1t5aV2+NqSw9BOTY1cGNDhyM37Oj3NA5v4dqnnizwUNz9yaZMD7Wrfk57PKMv5ArDeL++q0VkfhVxeA9s8OeA0v7es2x0Vn2aWz1vGplJcy8FYs/JkeZbhCtmsg/VPcTuTmM8GbG1sKBk5mah5DyFlaWot1e5GAALph1SHetm1ExZm/AjYtiKh/6ZBaQIDAQAB"
opendkim-testkey should return key OK.
~]$ opendkim-testkey -x /etc/opendkim.conf -d example.com -s default -k /etc/opendkim/keys/default.private -vvv
opendkim-testkey: key loaded from /etc/opendkim/keys/default.private
opendkim-testkey: checking key 'default._domainkey.example.com.net'
opendkim-testkey: key OK
Confirm DKIM is valid using EasyDMARC DKIM Lookup tool.
Add the following directives to /etc/postfix/main.cf.
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
# "accept" to receive the email as if the filter does not exist
# "reject" to reject the email
# "quarantine" is like "accept" but freezes the message in the "hold" queue, and is available with Postfix 2.6 or later
Restart Postfix and OpenDKIM.
systemctl restart postfix
systemctl restart opendkim
/var/log/maillog should have something like this.
Dec 30 10:56:36 ip-172-31-19-227 opendkim[22310]: OpenDKIM Filter v2.11.0 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)
Send an email from an email account on your Postfix system to some external email address and if DKIM is working, /var/log/maillog should have something like this.
Dec 30 11:02:38 ip-172-31-19-227 opendkim[22609]: 377B481DDDB: DKIM-Signature field added (s=mail, d=example.com)
Did you find this article helpful?
If so, consider buying me a coffee over at 