Adding DKIM Signing Into the Mix

It was pointed out that I neglected to include DKIM signing in this tutorial as I promised in a previous post. Let’s fix this oversight now.

Since we already have a mail server up and running, we can easily sign our outgoing messages with DKIM to help prevent forged messages and authenticate legitimate ones.  For more information on DKIM, look here.

Before we get started, make sure you can edit the DNS records for your domain. We will need to add a TXT record a little later to make DKIM work.

First let’s install OpenDKIM: [1]

apt-get install opendkim opendkim-tools

To configure OpenDKIM, first we’ll edit /etc/opendkim.conf:

Syslog                  yes

Domain                  example.com
KeyFile                 /etc/opendkim/110414.private
Selector                110414

AutoRestart             yes
Background              yes
Canonicalization        relaxed/relaxed
DNSTimeout              5
Mode                    sv
SignatureAlgorithm      rsa-sha256
SubDomains              no
X-Header                no

You can make the Selector line anything you like. I prefer to make it the date I generated the DKIM key, that way it it’s easier to change later. Some people make it “mail” or the name of their company or organization.

Edit /etc/default/opendkim and add/edit/uncomment the following line (making sure it is the only uncommented line):

SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891

Next we tell Postfix to use OpenDKIM. Edit /etc/postfix/main.cf and add the following lines:

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Now we can create our DKIM keys. Make note of what you made your Selector and run the following using your own domain name:

cd /etc/opendkim
opendkim-genkey -b 2048 -s <your Selector, e.g. 110414> -d <your domain name, e.g. example.com>

You should now have two files, using this example you would have 110414.txt and 110414.private.

110414.txt contains the information we need to add to DNS. If we take a look at this file:

cat 110414.txt

It will look something like this:

110414._domainkey       IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAseOojDHSzB3fCGLnsa5Y7Aa4igCK3PQK4DdzJSzWZ7hLSvskX0ndy5OuKLvkOE24b2f6ncpQqqG5xgimZFzSErNk2zintigQcw3Be1e2sOjP+yswxe3pHLXC7C1PMXuOc7Xtr26h57V5+ChIzbkrbnp1y7bfRwH01OxxRaBm+UjyU28zLVZdvGIyW38CDtd3NC+deXmZRlX8Ux"
          "zf4ZHf/BSih0ZZaFbo9sBei96JIIzGTqQZEWCUTSMkzZsKcHOQLs8L+r5eYwDwpxdVtFByzgrN56WVB7IYMhDByVOGntJLQ1vRMbfg6RcA9Ezv7dsCndkXGWWcEb9KISOO1ozTwwIDAQAB" )  ; ----- DKIM key 110414 for example.com

You will need to add this as a TXT record for your domain. The steps for doing this will differ depending on who is hosting your DNS. The basics are, you need to add a TXT record for <your Selector>._domainkey.example.com containing everything between the two brackets.

Head over to DKIMCore to test your DNS record and make sure it is configured properly.

Once your public key is installed in DNS and verified with DKIMCore, we can restart OpenDKIM and Postfix:

service opendkim restart
service postfix restart

Now send yourself a test email. If you take a look at the headers of your message, you should see something similar to:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=110414;
	t=1415142449; bh=t2OTK1f3BCnxdQW7LVf81uHqulsjZAP9q/Ux4XDzhVw=;
	h=Subject:From:To:Date;
	b=lYLG1d6AeiQrVs0+/9rH2wdcjOWY0yeduy3dCI2QKuwIgSvM+ZEERlwEg5BIRDGB8
	 I98SsfPLWnlAVmOmZFwQmS7t1SoD4bxhoNx6EEoYU+pNRVrLZW2j4BIZsZUI9PHmNf
	 HBvJJwpd8bnC8T9uVr/ho8iiEapqZlJ0Kx+NXTe3ZqtLU0CcmhHnobn/Fi6M1Nd4h0
	 rh8dzdvxRk+JSMDBEfzHUe3xZGWEunaQ6RFbNDf27tpOgL5G6Y0tT+9VnwV/eYx2MX
	 h71YSa1nnY7/vIDyIGXJTw3ZXchYUgxipSW4ikNV/5u7XkVdaTz2zXf0bvNi4oq6ui
	 jf06o7WRkgbew==

If you see more than one signature on your message, you can fix this by editing /etc/postfix/master.cf. Find the line:

smtp      inet  n       -       -       -       -       smtpd

and add or append:

 -o receive_override_options=no_milters

If you followed my previous tutorial installing SpamAssassian, these lines would now look like this:

smtp      inet  n       -       -       -       -       smtpd
 -o content_filter=spamassassin
 -o receive_override_options=no_milters

Remember to leave a space before -o!

Now we can test to make sure DKIM signing is working for the outside world. The folks over at Port25 have a great tool for testing DKIM signatures. Simply send an email to check-auth@verifier.port25.com and wait for their response.

You should see this in their reply:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

References:
1. https://help.ubuntu.com/community/Postfix/DKIM

Leave a Reply

Your email address will not be published. Required fields are marked *