Setting up openDKIM with Postfix (+ Troubleshooting)

Introduction

DomainKeys Identified Mail, abbreviated as DKIM. It is a protocol which ensures that, the emails received are from right and authentic senders, and are not forged. DKIM uses public key cryptography [wiki link]. Most of the times when you deal with a mail server, emails are unfortunately going into spam, because your DNS does not have a DomainKey record, which authenticates the emails coming from your domain.

Requirements

  1. I assume you are familiar with Debian based distrubution.
  2. You are having postfix mail server, this guide deals with postfix only.
  3. You have knowledge of basic linux commands

Installation

You can simply issue issue the following command to install openDKIM.

sudo aptitude install opendkim opendkim-tools dkim-filter

Configuration

Two configuration files of DKIM.

/etc/opendkim.conf
/etc/default/opendkim 
/etc/default/dkim-filter

Firstly edit, /etc/opendkim.conf , Make sure your file do have these. Just edit “Domain” and “Selector”.


Domain                  vigasdeep.com #Use your domain here
KeyFile                 /etc/mail/dkim.key # We will generate this key later on
Selector                mail #this can be anything

# DomainKey is combined with "Selector" and "Domain", including an extra string "_domainkey"
# For Example mail._domainkey.vigasdeep.com

# Common settings. See dkim-filter.conf(5) for more information.
AutoRestart             yes
Background              yes
Canonicalization        relaxed/relaxed
DNSTimeout              5
Mode                    sv
SignatureAlgorithm      rsa-sha256
SubDomains              no
X-Header                no

After that, edit /etc/default/dkim-filter and make sure it have following

DAEMON_OPTS="-l -o DKIM-Signature,X-DKIM"
DAEMON_OPTS="$DAEMON_OPTS -d vigasdeep.com -k /etc/mail/dkim.key -s mail"
SOCKET="inet:8891@localhost"

Now we’ll edit /etc/postfix/main.cf file. Append following text into the file.

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Thats all for the Configuration.

Generate Public/Private key for DKIM

This command with generate a public/private key pair. Replace “mail” with your own selector, and “vigasdeep.com” with your domain name.

opendkim-genkey -t -s mail -d vigasdeep.com

After this, place the private key to its right place at /etc/mail/dkim.key

cp mail.private /etc/mail/dkim.key  
# here mail refers to the selector

Thats it.

Optionally, you can also create a public/private key pair from http://dkimcore.org/tools/. Change Selector accordingly into /etc/opendkim.conf file.

If you have generated the keys on the web, then create a new file /etc/mail/dkim.key and paste private key into it.

Adding DNS (txt record) for domainkey

Adding the DNS entry is the most crucial part, please be patient and read carefully. When you created public/private key pair. Use public key for DNS entry. Login to your domain’s control panel, change DNS Settings, and add a TXT record. TXT record will ask you for two things. Host and Data.

Host will be ( change accordingly for your case )

mail._domainkey.vigasdeep.com
## [Selector]._domainkey.[domain.com]

and data would be something like

"v=DKIM1;=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8O7fJSx/nbZfzy75pfMnSO57Y0/xyIQQfrWUFwo2PXIamDSII7KB83u0MBeSrt1TPAnSmcRlKIurEBD8xF1Um8cnM/D2W5BlPqKTiII9CHLNEiCKYJiG1EuB+5Wl47UCHnmRaX3+PrbB/r1AWEmT+8cNbz4FW60mQaEIHBFsgwIDAQAB"

Add the entry, and you’re done. Now we will test it out.

Starting DKIM and Troubleshooting

sudo service opendkim start

If you’re not able to send email, probably there is something wrong with the configuration. Check the mail logs.

grep -i dkim /var/log/mail.log

Check if DKIM is working correctly at http://dkimcore.org/tools/keycheck.html

Facing problems ? Post comment Or Hire me, I’ll be back after my “Double-Tikki” Burger. Hah !


Comments

4 responses to “Setting up openDKIM with Postfix (+ Troubleshooting)”

  1. Elliott Wittstruck Avatar
    Elliott Wittstruck

    I like the article, it helped. But I’m still having troubles. Do you still work in this area or not anymore? I’d be curious to get your help.

  2. Hey Elliott. Yes, I still work in this area and more. Feel free to ask. Cheers.

  3. Elliott Wittstruck Avatar
    Elliott Wittstruck

    I figured out the DKIM, had some weird spaces in the key… My next problem is to figure out how to IMAP into an email client like Outlook and SSL the email server. I don’t think my ports are correctly configured. Trying to troubleshoot with telnet. Any suggestions or direction on setting up IMAP with Dovecot? Thank you.

  4. Which server OS are you using? Hit me up at Instagram or twitter : /vigasdeep everywhere.

Leave a Reply

%d bloggers like this: