Getting DKIM working

I used these two sites to figure out how to get DKIM working:

https://wiki.debian.org/opendkim

https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf

Install opendkim and opendkim-tools

cd /etc/dkimkeys

opendkim-genkey -t -s mail -d technomancer.com

Edit /etc/opendkim.conf:

Domain technomancer.com
KeyFile /etc/dkimkeys/mail.private
Selector mail
 
Socket local:/var/spool/postfix/opendkim/opendkim.sock
 
# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

The socket needs to be in /var/spool/postfix as postfix runs chrooted from there.

Add the postfix user to the opendkim group:

adduser postfix opendkim

Edit /etc/postfix/main.cf and add:

milter_default_action = accept
smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Notice that the socket file here is missing the /var/spool/postfix; as that is the “root” for the postfix process.

Create the file /etc/dkimkeys/keytable:

mail._domainkey.technomancer.com technomancer.com:mail:/etc/dkimkeys/mail.private 

Create the file /etc/dkimkeys/signingtable:

 # Domain technomancer.com
 *@technomancer.com mail._domainkey.technomancer.com
 # You can specify multiple domains
 # Example.net www._domainkey.technomancer.net

Create the file /etc/dkimkeys/trustedhosts and add the list of IPs and subnets that you consider trusted:

127.0.0.1
192.168.1.0/24

Set the appropriate ownership and group:

chown opendkkim:opendkim /etc/dkimkeys/*

Add the contents of /etc/dkimkeys/mail.txt to the technomancer.com zone file (it’s a TXT record), increase the serial, and reload the zone.

Restart the opendkim and postfix services.

Leave a Comment