Main menu

Install and configure DKIM with POSTFIX

Now days DKIM (DomainKeys Identified Mail) is a standard mail signing method used to verify the senders identity. In this mechanism sender MTA sent a DKIM signed email using it’s private key. At other end receiver MTA receive public key from DNS and verify it’s an legitimated sender. Let’s configure  DKIM with POSTFIX.

In this article we are using opendkim solution for postfix for signing the emails.

    1. Installing and configuring opendkim.
    2. Configuring POSTFIX to use opendkim.
    3. Hosting DKIM DNS record.

Installing and configuring opendkim

 # yum install epel-release
 # yum install opendkim
 # vi /etc/opendkim.conf
PidFile                 /var/run/opendkim/
 Mode                    sv
 TemporaryDirectory      /var/tmp
 Socket                  inet:8891@localhost
 AutoRestart             Yes
 AutoRestartRate         10/1h
 SendReports             yes
 ReportAddress           " Postmaster" <>
 LogWhy                  Yes
 Syslog                  Yes
 SyslogSuccess           yes
 UserID                  opendkim:opendkim
 UMask                   022
 Canonicalization        relaxed/simple
 ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
 InternalHosts           refile:/etc/opendkim/TrustedHosts
 KeyTable                refile:/etc/opendkim/KeyTable
 SigningTable            refile:/etc/opendkim/SigningTable
 SignatureAlgorithm      rsa-sha256
 OversignHeaders         From
 SoftwareHeader          yes
 Selector                default

Some of important configuring explain..

  • Mode: Define dkim operation mode which is  signer (s) and a verifier (v)
  • PidFile: location where process file will be created.
  • Socket: Milter will listen in this socket. MTA send an request to this port for signing.
  • UserID: user under process will run.
  • Umask: Access permission to specified UserID which can read and execute opendkim.
  • LogWhy, Syslog, SyslogSuccess:  Detailed logging via syslog.
  • AutoRestart and AutoRestartRate: Restart the filter on failures and if it’s so frequent 10/1h (10 restart per hour) is allowed.
  • Canonicalization: This is an message signing method. Simple allow almost no modificatio while relaxed minor changes are allowed. In relaxed/simple header will be processed with relaxed and body with simple.
  • ExternalIgnoreList: Mail relay through this server can use opendkim to sign email. It’s an allowed list of for relaying servers.
  • InternalHosts: defines a list of hosts which can be signed without verification.
  • KeyTable: Mapping between Key names and  signing key’s.
  • SigningTable: Signature lists apply based on header filed like from address.

Creating public and private keys for your domain.

# mkdir /etc/opendkim/keys/
# opendkim-genkey -D /etc/opendkim/keys/ -d -s default
# chown -R opendkim /etc/opendkim/keys/

Create mapping of your key and key name in /etc/opendkim/KeyTable


Specify the trusted host which can use this milter

#vi /etc/opendkim/TrustedHosts

Host your public key in DNS

open your domains default.txt, here you will find the DNS record which you will need to host on your DNS server. Reciving MTA will fetch this entry to verify the sender MTA authority.

cat /etc/opendkim/keys/
 default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
 "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0ZQZ2Ht9HHIF0m7qKbkiax8sroDo6c+Ut0rgj3k0akmD91O7Z0ypToxM/kbco42bNgCVGeIADWqGBVIYlBqZJwEoLt+IAbmMzE4RP1qlwivgUjvqX+UHRSg6emkrdy9QL8WHQ1bec5WnwLeLWkDqq++6SPl4Q7xKKHUUZkZLx7QIDAQAB" )  ; ----- DKIM key default for

SPF is also a necessary record for reliable delivery of your emails. If you haven’t set this create a SPF record on your domain. 14400 IN TXT "v=spf1 a mx ~all"

Configure Postfix to connect OpenDKIM milter

smtpd_milters           = inet:
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

Start and enable necessary services in RHEL/CentOS 6 and previous releases

# service opendkim start
# service postfix restart
# chkconfig opendkim on

Start and enable necessary services in RHEL/CentOS 7

#systemctl enable opendkim
#systemctl start opendkim
#systemctl restart postfix

Verify DKIM signature.

Now it’s time to verify your DKIM signature. there are verious ways you can verify that your DKIM is configured properly or not. You  can send an email to Gmail account and check the original email. Verify that DKIM is passed.

You also can send an test email to and it will verify and show the email raking.