Domain Keys Identified Mail (DKIM) allow the receiver of an e-mail to verify that the message was sent by the sending domain. Furthermore, DKIM is also able to determine whether the e-mail was tampered with between transferring MTAs. Compared to, say, Pretty Good Privacy (PGP), DKIM is a solution that covers the communication between MTAs rather than individuals. This tutorial will cover installing and configuring OpenDKIM to work with the Postfix MTA.

On Debian-like systems, two packages have to be installed:

• opendkim
• opendkim-tools

which can be accomplished with:

aptitude install opendkim opendkim-tools

To generate keys for your domain, issue:

opendkim-genkey -t -s mail -d domain.net

where:

• domain.net is the domain to generate the key for and should be replaced by your domain.

The command will generate two files:

• mail.private, the private key
• mail.txt that is an automatically generated TXT DNS record.

For consistency, you can move these two files in the postfix directory:

mv mail.private mail.text /etc/postfix/

Taking a look at mail.txt, the output of the generator is a bit unconventional. If you run a DNS server then you will have to edit the content a little to match the standard DNS format:

mail._domainkey    IN    TXT    "v=DKIM1; k=rsa; g=*; p=z2ucTITz1/PKL/OAYQ..."

since the tool seems to generate unbalanced quotes.

Since we are here, let us add another domain that should help the verifier determine whether it should expect e-mail with the From: address to be signed. Add another TXT record:

_adsp._domainkey    IN    TXT    "dkim=discardable"

where discardable means the signing practice. Three such practices are possible:

• unknown means that the domain might sign some, most or all e-mail.
• all means that all e-mail is signed.
• discardable says that all e-mail from the domain is signed and if such a signature is missing or invalid, then the e-mail should be dropped (silently discarded).

To configure OpenDKIM, open up the file /etc/opendkim.conf and locate the lines:

Domain                 domain.net
KeyFile                /etc/postfix/mail.private
Selector               mail

and change them accordingly:

• domain.net should be changed to the domain of your e-mail server.
• /etc/postfix/mail.private is the private key file that was generated in the previous sections with opendkim-tools
• mail should be set to the value passed to the -s parameter when opendkim-tools was used in the previous sections.

You can add some other useful settings, for example:

# Whether the filter should restart itself automatically if it crashes
AutoRestart             yes
# Whether the filter should run in the background
Background              yes
# The canonicalizations to use when signing e-mails (simple or relaxed).
Canonicalization        relaxed/relaxed

After that the /etc/default/opendkim file must be used in order to set-up a socket on which opendkim will listen on in order to talk to Postfix. You will need to add a line in /etc/default/opendkim like:

SOCKET="inet:9475@localhost"

where:

• 9475 is the port that OpenDKIM will listen on,
• localhost is the IP address or host name that OpenDKIM will listen on.

Now we have to edit postfix to set-up a milter by editing /etc/postfix/main.cf and adding the lines:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:9475
non_smtpd_milters = inet:localhost:9475

- n.b. you can chain other milters by separating them with a comma.

Two known tools are good for testing:

• DKIMCore where you can check a published DKIM core key - it performs a DNS lookup and determines whether the TXT record is set-up correctly.
• Send an e-mail to autorespond+dkim@dk.elandsys.com which should send you an e-mail back telling you whether DKIM is set-up successfully.