Table of Contents

About

Domain Keys Identified Mail (DKIM) allow the receiver of an e-mail to verify that the message was sent by the sending domain. Furthermore, DKIM is also able to determine whether the e-mail was tampered with between transferring MTAs. Compared to, say, Pretty Good Privacy (PGP), DKIM is a solution that covers the communication between MTAs rather than individuals. This tutorial will cover installing and configuring OpenDKIM to work with the Postfix MTA.

Requirements

On Debian-like systems, two packages have to be installed:

which can be accomplished with:

aptitude install opendkim opendkim-tools

Generating Keys

To generate keys for your domain, issue:

opendkim-genkey -t -s mail -d domain.net

where:

The command will generate two files:

For consistency, you can move these two files in the postfix directory:

mv mail.private mail.text /etc/postfix/

Creating the DNS TXT Record

Taking a look at mail.txt, the output of the generator is a bit unconventional. If you run a DNS server then you will have to edit the content a little to match the standard DNS format:

mail._domainkey    IN    TXT    "v=DKIM1; k=rsa; g=*; p=z2ucTITz1/PKL/OAYQ..."

since the tool seems to generate unbalanced quotes.

Setting-up Author Domain Signing Practices

Since we are here, let us add another domain that should help the verifier determine whether it should expect e-mail with the From: address to be signed. Add another TXT record:

_adsp._domainkey    IN    TXT    "dkim=discardable"

where discardable means the signing practice. Three such practices are possible:

Configuring OpenDKIM

To configure OpenDKIM, open up the file /etc/opendkim.conf and locate the lines:

Domain                 domain.net
KeyFile                /etc/postfix/mail.private
Selector               mail

and change them accordingly:

You can add some other useful settings, for example:

# Whether the filter should restart itself automatically if it crashes
AutoRestart             yes
# Whether the filter should run in the background
Background              yes
# The canonicalizations to use when signing e-mails (simple or relaxed).
Canonicalization        relaxed/relaxed

After that the /etc/default/opendkim file must be used in order to set-up a socket on which opendkim will listen on in order to talk to Postfix. You will need to add a line in /etc/default/opendkim like:

SOCKET="inet:9475@localhost"

where:

Configuring Postfix

Now we have to edit postfix to set-up a milter by editing /etc/postfix/main.cf and adding the lines:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:9475
non_smtpd_milters = inet:localhost:9475

- n.b. you can chain other milters by separating them with a comma.

Testing

Two known tools are good for testing: