Install DKIM in Postfix using openDKIM
Introduction
DomainKeys Identified Mail (DKIM) is an email authentication method that helps protect domains from email spoofing and improves email deliverability. By signing outgoing emails with a cryptographic signature, receiving mail servers can verify that the message was sent from an authorized source and has not been modified during transmission. This guide explains how to install and configure OpenDKIM with Postfix on a Linux server.
Prerequisites
- Root or sudo access to the Linux server
- Postfix is installed and configured
- Basic knowledge of Linux command-line operations
- Access to manage DNS records for the domain
Implementation
Step 1: Install Prerequisites
Install the required packages:
yum install sendmail-devel openssl-devel
Step 2: Install OpenDKIM
Download, extract, compile, and install OpenDKIM.
wget http://downloads.sourceforge.net/project/opendkim/opendkim-2.4.2.tar.gz
tar -zxf opendkim-2.4.2.tar.gz
cd opendkim*
./configure
make && make install
Step 3: Perform Post-Installation Configuration
Create a dedicated OpenDKIM user and the required directories.
useradd -s /sbin/nologin -b /var/run/opendkim opendkim-milt
mkdir /etc/mail/dkim
mkdir /etc/mail/dkim/keys
chown -R opendkim-milt:opendkim-milt /etc/mail/dkim
chmod -R go-wrx /etc/mail/dkim/keys
Step 4: Configure the Startup Script
Verify that the OpenDKIM startup script exists in:
/etc/init.d/opendkim
If it is not available, create the startup script as required before proceeding.
Step 5: Generate DKIM Keys
Create a directory for the domain and generate the DKIM key pair.
mkdir /etc/mail/dkim/keys/example.com
opendkim-genkey.sh -D /etc/mail/dkim/keys/example.com/ -d example.com -s default
chown -R opendkim-milt:opendkim-milt /etc/mail/dkim/example.com
mv /etc/mail/dkim/keys/example.com/default.private /etc/mail/dkim/keys/example.com/default
Note: The selector (-s) can be any preferred name such as default, mail, dk, or dkim.
Step 6: Configure OpenDKIM
Edit the following configuration file:
/etc/opendkim.conf
Configure the required parameters such as:
- KeyTable
- SigningTable
- Socket
- UserID
- Canonicalization
- SignatureAlgorithm
- Logging options
Step 7: Configure the Signing Table
Create or edit:
/etc/mail/opendkim/signingTable
Add entries similar to:
*@example.com mail._domainkey.example.com
The Signing Table determines which DKIM key is used to sign outgoing emails for each domain.
Step 8: Configure Postfix
Edit the Postfix configuration file (main.cf) and add the following settings:
smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_protocol = 2
milter_default_action = accept
Reload the Postfix service after saving the changes.
Step 9: Add DKIM DNS Records
Open the generated public key file (for example, mail.txt) and add the public key as a TXT record in your domain’s DNS zone.
Remove the r=postmaster tag before adding the record, as it is experimental and not widely supported.
Also add the DKIM ADSP record:
_adsp._domainkey.example.com IN TXT “dkim=unknown”
Step 10: Start OpenDKIM
Start the OpenDKIM service.
service opendkim start
Step 11: Enable OpenDKIM at Boot
Configure the service to start automatically during system boot.
chkconfig –level 2345 opendkim on
Step 12: Verify DKIM Configuration
Send a test email to the Port25 DKIM verifier.
Use the following command to monitor the mail log while sending the email:
echo Test | mail -s test check-auth-username=gmail.com@verifier.port25.com
tail -fn0 /var/log/maillog
Review the verification email received from Port25.
A successful configuration will display:
DKIM check: pass
This confirms that Postfix is signing outgoing emails correctly using OpenDKIM.
Step 13: Automate DKIM Key Generation (Optional)
You can automate the DKIM key generation process and permission setup using the provided shell script. The script creates the required directories, generates DKIM keys, updates the KeyTable and SigningTable, restarts OpenDKIM, and displays the DNS TXT record that must be added for the domain.
Conclusion
Installing and configuring OpenDKIM with Postfix enables DKIM signing for outgoing emails, improving email authenticity and deliverability while reducing the risk of spoofing. After completing the installation, configuration, DNS updates, and verification steps, your mail server will be able to sign outbound messages successfully, allowing receiving mail servers to validate the authenticity of your emails.
