DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.
The tutorial considers the following software and environment:
Ubuntu 12.04 LTS
This tutorial relies mostly in configuration.
apt-get update && apt-get install opendkim opendkim-tools
Generating the keys
Google is currently failing emails sent to Gmail accounts if they are signed with a 512-bit key or less. Now there is evidence that Google is starting to enforce their policy of accepting DKIM keys of 1024-bit or higher
openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key -pubout -outform PEM
chmod 600 /etc/opendkim/private.key
The private key will be stored in private.key and the public key will be stored in public.key
Alternative methode, you can simply use the opendkim-genkey command as follow:
opendkim-genkey -t -s mail -d example.com
This will output 2 files, mail.txt that contains the DNS entry with the public key that you will need for the DNS TXT type entry. The second file will contain the private key that you need to place it in /etc/opendkim folder:
mv mail.private /etc/opendkim/private.key && chown 600 /etc/opendkim/private.key
Opendkim configuration consists of two files:
Use your favorite editor like “vim” to edit these files. Here’s an example of my /etc/opendkim.conf configuration:
# Log to syslog
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
# Sign for example.com with key in /etc/opendkim/private.key using
# selector 'mail' (e.g. mail._domainkey.example.com)
KeyFile /etc/opendkim/private.key # See bellow how to generate and set up the key
# Identifies a set internal hosts whose mail should be signed rather than verified.
# Identifies a set of "external" hosts that may send mail through the server as one of the signing domains without credentials as such.
# Specifies a list of headers which should be included in all signature header lists (the "h=" tag) even if they were not present at the time the signature was generated.
# Specifies the set of header fields that should be included when generating signatures.
Now editing /etc/default/opendkim
# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
#SOCKET="local:/var/run/opendkim/opendkim.sock" # default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
SOCKET="inet:8891@localhost" # listen on loopback on port 8891 - Ubuntu default
#SOCKET="inet:firstname.lastname@example.org" # listen on 192.0.2.1 on port 12345
Adjust the following file to fit your server’s configuration /etc/opendkim/opendkimhosts
# Your IP addresses (one per line)
#Your hostnames (one per line)
Setup the DNS entry
Making the public key to be publicly available. Set it up as a DNS entry. Go into your DNS configuration and add the following TXT record:
v=DKIM1; k=rsa; p=[THE_CONTENT_OF_THE_PUBLIC_KEY_FILE]
Edit postfix main.cf file and add the following
milter_default_action = accept
milter_protocol = 2 #( Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2 )
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Checking that OpenDKIM is running
Make sure that OpenDKIM is running by running the following
netstat -ntap | grep opendkim
ps aux | grep opendkim
When sending an email, check the email header and it should look similar to this:
Date: Tue, 03 Sep 2013 15:58:09 +0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com;
DKIM uses the email headers and body to generate a signature. If the headers are rewritten or text is appended to the message body after it has been signed, the dkim verification fails.
The Diagram used in this post is created by using the online service gliffy