DomainKeys (originally from Yahoo!) and Cisco, and later as an industry collaboration, is a means for and organization to claim responsibility for sending a message, in a way that can be validated by a recipient. As a result, emails are “signed” by the outgoing SMTP server and can be verified against a DNS record. Depending upon the receiver, unsigned emails MAY be treated or marked as SPAM as they could be forgeries.
The below instructions assume Ubuntu (Debian) and Postfix, but could likely be modified for other platforms.
- Install OpenDKIM:
sudo apt-get install opendkim opendkim-tools
- Setup initial configuration:
sudo vi /etc/opendkim.conf
ADD:
Domain example.com
KeyFile /etc/postfix/dkim.key
Selector dkim
SOCKET inet:[email protected]
PidFile /var/run/opendkim/opendkim.pid
#Canonicalization relaxed/relaxed
ExternalIgnoreList file:/etc/opendkim/TrustedHostList
InternalHosts file:/etc/opendkim/TrustedHostList
LogWhy yes
- Add trusted hosts… (and folder path, if needed)
sudo mkdir /etc/opendkim
sudo vi /etc/opendkim/TrustedHostList
ADD:
# External Hosts that OpenDKIM will Trust (add any appropriate values)
localhost
127.0.0.1
10.1.10.1
-
sudo vi /etc/default/opendkim
ADD:
SOCKET="inet:[email protected]"
-
sudo vi /etc/postfix/main.cf
ADD:
# DKIM
# --------------------------------------
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
- Take a look around the following file, you may need it later:
sudo vi /etc/postfix/master.cf
- Generate your keys:
opendkim-genkey -t -s dkim -d example.com
NOTE: this creates dkim.private & dkim.txt, you “might” want to make backups of them 🙂
-
Change permissions on the file:
sudo chown opendkim:opendkim dkim.private
- Copy to the postfix folder:
sudo cp dkim.private /etc/postfix/dkim.key
- NOTE: I initially had a problem with dkim refusing connections, this MIGHT be needed.
sudo adduser postfix opendkim
- Start things back up together:
sudo service opendkim start
sudo service postfix restart
-
sudo vi dkim.txt
(copy contents, remove t=y; as it indicates test mode)
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; p=xxxxxxxxx" ) ;
-
Add DNS for DomainKey:
_domainkey.example.com TXT o=~
-
Add DNS for DKIM:
dkim._domainkey.example.com TXT v=DKIM1; k=rsa; p=xxxxxxxxx
-
NOTE: you will likely need to wait a few hours for your DNS entries to propagate.
- Simple verification…. send an email to this address and you will receive a response with your SPF, DKIM and DMARC compliance status:
mailto:[email protected]
REFERENCES: