Introduction

DomainKeys Identified Mail (DKIM) is an email authentication method that helps protect domains from email spoofing and improves email deliverability. By signing outgoing emails with a cryptographic signature, receiving mail servers can verify that the message was sent from an authorized source and has not been modified during transmission. This guide explains how to install and configure OpenDKIM with Postfix on a Linux server.


Prerequisites

  • Root or sudo access to the Linux server
  • Postfix is installed and configured
  • Basic knowledge of Linux command-line operations
  • Access to manage DNS records for the domain

Implementation

Step 1: Install Prerequisites

Install the required packages:

yum install sendmail-devel openssl-devel


Step 2: Install OpenDKIM

Download, extract, compile, and install OpenDKIM.

wget http://downloads.sourceforge.net/project/opendkim/opendkim-2.4.2.tar.gz

tar -zxf opendkim-2.4.2.tar.gz

cd opendkim*

./configure

make && make install


Step 3: Perform Post-Installation Configuration

Create a dedicated OpenDKIM user and the required directories.

useradd -s /sbin/nologin -b /var/run/opendkim opendkim-milt

mkdir /etc/mail/dkim

mkdir /etc/mail/dkim/keys

chown -R opendkim-milt:opendkim-milt /etc/mail/dkim

chmod -R go-wrx /etc/mail/dkim/keys


Step 4: Configure the Startup Script

Verify that the OpenDKIM startup script exists in:

/etc/init.d/opendkim

If it is not available, create the startup script as required before proceeding.


Step 5: Generate DKIM Keys

Create a directory for the domain and generate the DKIM key pair.

mkdir /etc/mail/dkim/keys/example.com

opendkim-genkey.sh -D /etc/mail/dkim/keys/example.com/ -d example.com -s default

chown -R opendkim-milt:opendkim-milt /etc/mail/dkim/example.com

mv /etc/mail/dkim/keys/example.com/default.private /etc/mail/dkim/keys/example.com/default

Note: The selector (-s) can be any preferred name such as default, mail, dk, or dkim.


Step 6: Configure OpenDKIM

Edit the following configuration file:

/etc/opendkim.conf

Configure the required parameters such as:

  • KeyTable
  • SigningTable
  • Socket
  • UserID
  • Canonicalization
  • SignatureAlgorithm
  • Logging options

Step 7: Configure the Signing Table

Create or edit:

/etc/mail/opendkim/signingTable

Add entries similar to:

*@example.com mail._domainkey.example.com

The Signing Table determines which DKIM key is used to sign outgoing emails for each domain.


Step 8: Configure Postfix

Edit the Postfix configuration file (main.cf) and add the following settings:

smtpd_milters = inet:localhost:20209

non_smtpd_milters = inet:localhost:20209

milter_protocol = 2

milter_default_action = accept

Reload the Postfix service after saving the changes.


Step 9: Add DKIM DNS Records

Open the generated public key file (for example, mail.txt) and add the public key as a TXT record in your domain’s DNS zone.

Remove the r=postmaster tag before adding the record, as it is experimental and not widely supported.

Also add the DKIM ADSP record:

_adsp._domainkey.example.com IN TXT “dkim=unknown”


Step 10: Start OpenDKIM

Start the OpenDKIM service.

service opendkim start


Step 11: Enable OpenDKIM at Boot

Configure the service to start automatically during system boot.

chkconfig –level 2345 opendkim on


Step 12: Verify DKIM Configuration

Send a test email to the Port25 DKIM verifier.

Use the following command to monitor the mail log while sending the email:

echo Test | mail -s test check-auth-username=gmail.com@verifier.port25.com

tail -fn0 /var/log/maillog

Review the verification email received from Port25.

A successful configuration will display:

DKIM check: pass

This confirms that Postfix is signing outgoing emails correctly using OpenDKIM.


Step 13: Automate DKIM Key Generation (Optional)

You can automate the DKIM key generation process and permission setup using the provided shell script. The script creates the required directories, generates DKIM keys, updates the KeyTable and SigningTable, restarts OpenDKIM, and displays the DNS TXT record that must be added for the domain.


Conclusion

Installing and configuring OpenDKIM with Postfix enables DKIM signing for outgoing emails, improving email authenticity and deliverability while reducing the risk of spoofing. After completing the installation, configuration, DNS updates, and verification steps, your mail server will be able to sign outbound messages successfully, allowing receiving mail servers to validate the authenticity of your emails.

Leave a Reply