Getting DKIM working

I used these two sites to figure out how to get DKIM working:

Install opendkim and opendkim-tools

cd /etc/dkimkeys

opendkim-genkey -t -s mail -d

Edit /etc/opendkim.conf:

KeyFile /etc/dkimkeys/mail.private
Selector mail
Socket local:/var/spool/postfix/opendkim/opendkim.sock
# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

The socket needs to be in /var/spool/postfix as postfix runs chrooted from there.

Add the postfix user to the opendkim group:

adduser postfix opendkim

Edit /etc/postfix/ and add:

milter_default_action = accept
smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Notice that the socket file here is missing the /var/spool/postfix; as that is the “root” for the postfix process.

Create the file /etc/dkimkeys/keytable: 

Create the file /etc/dkimkeys/signingtable:

 # Domain
 # You can specify multiple domains

Create the file /etc/dkimkeys/trustedhosts and add the list of IPs and subnets that you consider trusted:

Set the appropriate ownership and group:

chown opendkkim:opendkim /etc/dkimkeys/*

Add the contents of /etc/dkimkeys/mail.txt to the zone file (it’s a TXT record), increase the serial, and reload the zone.

Restart the opendkim and postfix services.

Leave a Comment