If you send email from a Postfix mail server, configuring OpenDKIM is one of two methods available to authenticate your domain (the other is SPF). Why is authenticating your domain important? Because, email providers like Gmail and Yahoo will junk or reject unauthenticated emails. Here’s how to set up OpenDKIM in Ubuntu.
What is DKIM?
DKIM, or DomainKeys Identified Mail, is an email authentication method used to prove ownership of your domain. It works by embedding a digital signature in your outgoing emails which lets the receiver know that the message was sent and authorized by you. To verify the authenticity of the email, the embedded signature is checked against a public key published in your domain’s DNS records.
Step 1: Install OpenDKIM
Use the apt package manager to install opendkim.
$ apt install opendkim
Step 2: Update the opendkim configuration file
Edit the /etc/opendkim.conf file and change the following settings. The TrustedHosts, KeyTable, and SigningTable are explained later in this article. The Mode setting selects the operating mode. In this case, we set it to 's' for signer, as we are using opendkim to sign outgoing emails. The Socket setting specifies the socket that should be established by opendkim to receive connections from postfix.
Mode s
InternalHosts refile:/etc/opendkim/TrustedHosts
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Socket local:/var/spool/postfix/opendkim/opendkim.sock
Step 3: Create a TrustedHosts file
Edit the /etc/opendkim/TrustedHosts file and include the IP addresses of the hosts that are allowed to use the keys to sign emails. Assuming that the opendkim service is running on the same host as postfix, only the localhost IP and hostname need to be included.
127.0.0.1
localhost
Step 3: Generate a key
In this step you need to generate a key and add it to DNS for verifying DKIM. First, create a directory where you will store your keys:
mkdir /etc/opendkim/keys
Second, create the keys using the opendkim-genkey command. Enter your domain name after the domain (-d) parameter and the key name after the selector (-s) parameter.
opendkim-genkey -d example.com -s mydkimkey
The selector name entered above is what will be used to look up the key in your DNS record. The command we ran above will create the DNS record in /etc/opendkim/keys/mydkimkey.txt and it should look something like below. Go ahead and create the DNS TEXT record for your domain.
mydkimkey._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQK…" )
Step 4: Create the KeyTable file
The KeyTable file contains the selector/domain pair and the path to your private key. It tells opendkim where to find the correct keys for signing outgoing email. First, create the file and give it proper permissions:
touch /etc/opendkim/KeyTable
chmod 0640 /etc/opendkim/KeyTable
Then add the following line:
mydkimkey._domainkey.example.com example.com:mydkimkey:/etc/opendkim/keys/mydkimkey.private
Step 5: Create the SigningTable file
The SigningTable file tells opendkim which selector to use for the declared domains and email addresses. First, create the file and give it proper permissions:
touch /etc/opendkim/SigningTable
chmod 0640 /etc/opendkim/SigningTable
We want to use the same selector for the entire domain, so we denote that by adding the following line:
*@example.com mydkimkey._domainkey.example.com
Step 6: Create directory for socket and set up perms
This step is necessary because postfix and opendkim need to communicate via unix sockets. Opendkim must be able to create the socket, and postfix must be able to read it. First, we add the user postfix to the opendkim group using the usermod command. Then, we create the socket directory owned by the user opendkim and the group postfix.
usermod -aG opendkim postfix
mkdir /var/spool/postfix/opendkim
chown opendkim:postfix /var/spool/postfix/opendkim
Step 7: Update postfix config with opendkim information
In this step, we use the postconf command to add configuration options, like below.
postconf -e 'smtpd_milters = local:opendkim/opendkim.sock'
postconf -e 'non_smtpd_milters = $smtpd_milters'
postconf -e 'milter_default_action = accept'
Step 8: Restart postfix and opendkim
$ sudo systemctl restart postfix
$ sudo systemctl restart opendkim
Verify that it’s working
There are two ways you can verify that your email is now signing outbound emails with a dkim signature.
The first way is to simply send yourself an email. Once you've received it, copy the headers and paste them into the mxtoolbox utility to analyze them. This is the most thorough way to validate your opendkim setup, as it will validate that the emails are signed correctly by your mail server and authenticated correctly by the receiving mail server.
The second way is to check your mail logs. You should see the following:
Oct 20 00:01:02 myhost opendkim[695]: 4ABBCC1AFA: DKIM-Signature field added (s=mydkimkey, d=example.com)