Adding DKIM Signing Into the Mix

It was pointed out that I neglected to include DKIM signing in this tutorial as I promised in a previous post. Let’s fix this oversight now.

Since we already have a mail server up and running, we can easily sign our outgoing messages with DKIM to help prevent forged messages and authenticate legitimate ones.  For more information on DKIM, look here.

Before we get started, make sure you can edit the DNS records for your domain. We will need to add a TXT record a little later to make DKIM work.

First let’s install OpenDKIM: [1]

apt-get install opendkim opendkim-tools

To configure OpenDKIM, first we’ll edit /etc/opendkim.conf:

Syslog                  yes

KeyFile                 /etc/opendkim/110414.private
Selector                110414

AutoRestart             yes
Background              yes
Canonicalization        relaxed/relaxed
DNSTimeout              5
Mode                    sv
SignatureAlgorithm      rsa-sha256
SubDomains              no
X-Header                no

You can make the Selector line anything you like. I prefer to make it the date I generated the DKIM key, that way it it’s easier to change later. Some people make it “mail” or the name of their company or organization.

Edit /etc/default/opendkim and add/edit/uncomment the following line (making sure it is the only uncommented line):

SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891

Next we tell Postfix to use OpenDKIM. Edit /etc/postfix/ and add the following lines:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Now we can create our DKIM keys. Make note of what you made your Selector and run the following using your own domain name:

cd /etc/opendkim
opendkim-genkey -b 2048 -s <your Selector, e.g. 110414> -d <your domain name, e.g.>

You should now have two files, using this example you would have 110414.txt and 110414.private.

110414.txt contains the information we need to add to DNS. If we take a look at this file:

cat 110414.txt

It will look something like this:

110414._domainkey       IN      TXT     ( "v=DKIM1; k=rsa; "
          "zf4ZHf/BSih0ZZaFbo9sBei96JIIzGTqQZEWCUTSMkzZsKcHOQLs8L+r5eYwDwpxdVtFByzgrN56WVB7IYMhDByVOGntJLQ1vRMbfg6RcA9Ezv7dsCndkXGWWcEb9KISOO1ozTwwIDAQAB" )  ; ----- DKIM key 110414 for

You will need to add this as a TXT record for your domain. The steps for doing this will differ depending on who is hosting your DNS. The basics are, you need to add a TXT record for <your Selector> containing everything between the two brackets.

Head over to DKIMCore to test your DNS record and make sure it is configured properly.

Once your public key is installed in DNS and verified with DKIMCore, we can restart OpenDKIM and Postfix:

service opendkim restart
service postfix restart

Now send yourself a test email. If you take a look at the headers of your message, you should see something similar to:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=110414;
	t=1415142449; bh=t2OTK1f3BCnxdQW7LVf81uHqulsjZAP9q/Ux4XDzhVw=;

If you see more than one signature on your message, you can fix this by editing /etc/postfix/ Find the line:

smtp      inet  n       -       -       -       -       smtpd

and add or append:

 -o receive_override_options=no_milters

If you followed my previous tutorial installing SpamAssassian, these lines would now look like this:

smtp      inet  n       -       -       -       -       smtpd
 -o content_filter=spamassassin
 -o receive_override_options=no_milters

Remember to leave a space before -o!

Now we can test to make sure DKIM signing is working for the outside world. The folks over at Port25 have a great tool for testing DKIM signatures. Simply send an email to and wait for their response.

You should see this in their reply:

Summary of Results
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s