SMTP – DKIM with Postfix

dkimThe first email server I’ve configured with DKIM was a Postfix server with Rspamd, hence the previous post about this.

But soon I also needed this cool mechanism configured on a server with postfix only and no Rspamd involved.It needs some more work I guess, but following this guide will get you there.

I’ll make a special note about the key later on, but mind you that you copy and paste the exact correct key, or it won’t work.

Update: after some more testing, I’ve completely rewritten this post. This works 100%

When postfix is already up and running on a localhost smtp only server, we can get DKIM relatively fast going as well. Follow these steps.

# apt install opendkim opendkim-tools
# mkdir /etc/opendkim
# opendkim-genkey -t -D /etc/dkimkeys -r -s mail -d
# cd /etc/dkimkeys
# mv mail.private
# mv mail.txt
# chown -R opendkim:opendkim /etc/dkimkeys
# chmod -R go-rw /etc/dkimkeys

This will install the software, create and rename keys and give proper privileges.

Configuring our main configuration file, the /etc/opendkim.conf should have these lines uncommented:

Syslog yes
UMask 007
KeyTable /etc/opendkim/keytable
SigningTable refile:/etc/opendkim/signingtable
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock
PidFile /var/run/opendkim/
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim

Create the /etc/opendkim/keytable and put your domain information in:


Create the /etc/opendkim/signingtable and also out the correct information in:

* mailkey

We have to create the socket from the opendkim.conf file:

# mkdir -p /var/spool/postfix/var/run/opendkim/
# cd /var/spool/postfix/var/run/
# chgrp opendkim opendkim/
# chmod g=rwx opendkim/

And restart the service so that it gets created:

# systemctl restart opendkim
# ls -al /var/spool/postfix/var/run/opendkim/

Now we have to get postfix ready. Add it to the opendkim group:

# adduser postfix opendkim

Add this to the bottom of the /etc/postfix/ file:

# DKIM config
milter_default_action = accept
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Restart postfix:

# systemctl reload postfix

Now finally check out your key in /etc/dkimkeys/ and add it, without quotes, to your DNS:

mail._domainkey TXT v=DKIM1; h=sha256; k=rsa; t=y; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvEwnQzOB3bGmjyF8iRSlX/mPOoXZIc4cgakVv6zoyHE99WzoXMr/7KwQmZ7/JU97PnvvZzR1RHXv5+esITfckzcC1a4Q+Ht6ulHl7BInRxyIIvNopmH3HgPx83zPmNErYcKF8HjCQpZJleKcXOErTFHTtLjGIYA1UPzZP0W1XoipAGQocCmOLEK91TnC8WS0PXbvpZKosvj4ncIaxg59VkeZyLmuAmnRaO2k0XaMc6Y6XlIKKAgerf2TurFNiHmvI9VZYYF9pA19gzVOhHcVvvXNVYwRdhgWyT2RvOc+9DtiLyJ5bUM6+CzH7eVNWKNBmxhzfKH9XFsiaJBOqRJzuQIDAQAB

When the /etc/dkimkeys/ is divided in two parts, like “key1” – next line – “key2”, you MUST combine the keys to one character string in your DNS, or else the key seems OK, but isn’t!

Then, when the DNS is propagated, you can check your config with the below command:

# opendkim-testkey -d -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key ''
opendkim-testkey: key secure
opendkim-testkey: key OK

You can also simply send a message from this server/domain and check the headers in your mailclient.

Complete series: Backscatter check, DMARC, SPF, DK1M with Postfix, DK1M with Postfix and rspamd, DK1M with DirectAdmin and Exim and SMTP checks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.