Install OpenDKIM

Install OpenDKIM

apt update && apt -y dist-upgrade && apt -y install opendkim opendkim-tools

Configure OpenDKIM

vi /etc/opendkim.conf

AutoRestart         Yes
AutoRestartRate     10/1h
SyslogSuccess       Yes
LogWhy              Yes
Canonicalization    relaxed/simple
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts       refile:/etc/opendkim/TrustedHosts
KeyTable            refile:/etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
Mode                sv
PidFile             /var/run/opendkim/opendkim.pid
SignatureAlgorithm  rsa-sha256
UserID              opendkim:opendkim
Socket              inet:11025@localhost
AlwaysAddARHeader   yes
SoftwareHeader      yes
ReportAddress       "DKIM Error Postmaster" <[email protected]>
ReportBccAddress    [email protected]
SendReports         yes

Add OpenDKIM port to services

vi /etc/services

opendkim        11025/tcp

Create a system directory

mkdir -p /etc/opendkim/keys

Trusted hosts

vi /etc/opendkim/TrustedHosts

127.0.0.1
localhost
192.168.0.0/24

*.domain.xx
*.domain.yy

Key table

vi /etc/opendkim/KeyTable

mail._domainkey.domain.xx domain.xx:mail:/etc/opendkim/keys/domain.xx/mail.private
mail._domainkey.domain.yy domain.yy:mail:/etc/opendkim/keys/domain.yy/mail.private

Signing table

vi /etc/opendkim/SigningTable

*@domain.xx mail._domainkey.domain.xx
*@domain.yy mail._domainkey.domain.yy

Generate the keys

cd /etc/opendkim/keys

mkdir domain.xx
mkdir domain.yy

cd domain.xx
opendkim-genkey -s mail -d domain.xx

Change the owner of the private key

chown opendkim:opendkim mail.private

Configure nameserver

Just add the TXT record to your DNS as described in the public key (the file mail.txt)

cat mail.txt

mail._domainkey    IN    TXT    ( "v=DKIM1; k=rsa; "
      "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUmmgVQvIwAqEPBPebMs7MV3+FshNKg+WtCz4Uwei4bQyfaeZ+R/ZLguaw7QehTMLrLL9R5OwzL/YJto3SEKS8ET9Zt9f4wgE+SdIvdl9rtjw516x9WQ9hykBZTS7C4ZYAWJUPICUXOFRtjVOzZb7eI7B3KFugyKMwAcnVxr0cyQIDAQAB" )  ; ----- DKIM key mail for domain.xx

Connect the milter to Postfix

vi /etc/default/opendkim

SOCKET="inet:11025@localhost"

Configure postfix to use this milter

vi /etc/postfix/main.cf

#milter_protocol = 2
#milter_default_action = accept

smtpd_milters = inet:localhost:11025
non_smtpd_milters = inet:localhost:11025

Restart Postfix and OpenDKIM

service postfix restart && service opendkim restart

Congratulations! DKIM is now configured and running.

netstat -pat|grep "smtp\|opendkim"

tcp        0      0 localhost:opendkim      *:*                  LISTEN      29756/opendkim  
tcp        0      0 *:smtps                 *:*                  LISTEN      29734/master    
tcp        0      0 *:smtp                  *:*                  LISTEN      29734/master    
tcp6       0      0 [::]:smtps              [::]:*               LISTEN      29734/master    
tcp6       0      0 [::]:smtp               [::]:*               LISTEN      29734/master

Test DKIM

Send a test email to  [email protected] where myname=yourdomain.xx is the address where you want the report sent ([email protected]).

Navigate to mxtoolbox.com, enter your domain followed by the selector and press DKIM lookup. In our example. the selector is mail.

• dkimvalidator.com
• mail-tester.com
• dmarcian.com DKIM Inspector

DMARC

Don’t forget to configure a DMARC RR as well!

See also

• How to install SPF