It was pointed out that I neglected to include DKIM signing in this tutorial as I promised in a previous post. Let’s fix this oversight now.
Since we already have a mail server up and running, we can easily sign our outgoing messages with DKIM to help prevent forged messages and authenticate legitimate ones. For more information on DKIM, look here.
Before we get started, make sure you can edit the DNS records for your domain. We will need to add a TXT record a little later to make DKIM work.
First let’s install OpenDKIM: 
apt-get install opendkim opendkim-tools
To configure OpenDKIM, first we’ll edit
Syslog yes Domain example.com KeyFile /etc/opendkim/110414.private Selector 110414 AutoRestart yes Background yes Canonicalization relaxed/relaxed DNSTimeout 5 Mode sv SignatureAlgorithm rsa-sha256 SubDomains no X-Header no
You can make the Selector line anything you like. I prefer to make it the date I generated the DKIM key, that way it it’s easier to change later. Some people make it “mail” or the name of their company or organization.
/etc/default/opendkim and add/edit/uncomment the following line (making sure it is the only uncommented line):
SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891
Next we tell Postfix to use OpenDKIM. Edit
/etc/postfix/main.cf and add the following lines:
# DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Now we can create our DKIM keys. Make note of what you made your Selector and run the following using your own domain name:
cd /etc/opendkim opendkim-genkey -b 2048 -s <your Selector, e.g. 110414> -d <your domain name, e.g. example.com>
You should now have two files, using this example you would have
110414.txt contains the information we need to add to DNS. If we take a look at this file:
It will look something like this:
110414._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAseOojDHSzB3fCGLnsa5Y7Aa4igCK3PQK4DdzJSzWZ7hLSvskX0ndy5OuKLvkOE24b2f6ncpQqqG5xgimZFzSErNk2zintigQcw3Be1e2sOjP+yswxe3pHLXC7C1PMXuOc7Xtr26h57V5+ChIzbkrbnp1y7bfRwH01OxxRaBm+UjyU28zLVZdvGIyW38CDtd3NC+deXmZRlX8Ux" "zf4ZHf/BSih0ZZaFbo9sBei96JIIzGTqQZEWCUTSMkzZsKcHOQLs8L+r5eYwDwpxdVtFByzgrN56WVB7IYMhDByVOGntJLQ1vRMbfg6RcA9Ezv7dsCndkXGWWcEb9KISOO1ozTwwIDAQAB" ) ; ----- DKIM key 110414 for example.com
You will need to add this as a TXT record for your domain. The steps for doing this will differ depending on who is hosting your DNS. The basics are, you need to add a TXT record for
<your Selector>._domainkey.example.com containing everything between the two brackets.
Head over to DKIMCore to test your DNS record and make sure it is configured properly.
Once your public key is installed in DNS and verified with DKIMCore, we can restart OpenDKIM and Postfix:
service opendkim restart service postfix restart
Now send yourself a test email. If you take a look at the headers of your message, you should see something similar to:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=110414; t=1415142449; bh=t2OTK1f3BCnxdQW7LVf81uHqulsjZAP9q/Ux4XDzhVw=; h=Subject:From:To:Date; b=lYLG1d6AeiQrVs0+/9rH2wdcjOWY0yeduy3dCI2QKuwIgSvM+ZEERlwEg5BIRDGB8 I98SsfPLWnlAVmOmZFwQmS7t1SoD4bxhoNx6EEoYU+pNRVrLZW2j4BIZsZUI9PHmNf HBvJJwpd8bnC8T9uVr/ho8iiEapqZlJ0Kx+NXTe3ZqtLU0CcmhHnobn/Fi6M1Nd4h0 rh8dzdvxRk+JSMDBEfzHUe3xZGWEunaQ6RFbNDf27tpOgL5G6Y0tT+9VnwV/eYx2MX h71YSa1nnY7/vIDyIGXJTw3ZXchYUgxipSW4ikNV/5u7XkVdaTz2zXf0bvNi4oq6ui jf06o7WRkgbew==
If you see more than one signature on your message, you can fix this by editing
/etc/postfix/master.cf. Find the line:
smtp inet n - - - - smtpd
and add or append:
If you followed my previous tutorial installing SpamAssassian, these lines would now look like this:
smtp inet n - - - - smtpd -o content_filter=spamassassin -o receive_override_options=no_milters
Remember to leave a space before
Now we can test to make sure DKIM signing is working for the outside world. The folks over at Port25 have a great tool for testing DKIM signatures. Simply send an email to
firstname.lastname@example.org and wait for their response.
You should see this in their reply:
========================================================== Summary of Results ========================================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham