Stack Setup

Here we setup DKIM ( for use with Postfix. To build the DKIM's for each email, we use software called OpenDKIM. This sits on a port listening on localhost only, and Postfix will pass emails 'through' the OpenDKIM server which will apply the keys (where appropriate – ie only on mail from owned domains).

DKIM is a three step process:

Setup OpenDKIM

Firstly we need to install OpenDKIM, via apt-get in this case: apt-get install opendkim opendkim-tools

Next to configure OpenDKIM, which uses two files /etc/opendkim.conf and /etc/default/opendkim. The second file simply lists the port and IP to bind to. The most important part is telling OpenDKIM where to locate a few files (key table, signing table & hosts lists):

KeyTable        /mail/dkim/keyTable
SigningTable        /mail/dkim/signTable
ExternalIgnoreList  /mail/dkim/hosts
InternalHosts       /mail/dkim/hosts

Example /mail/dkim/hosts (simple list of domains):

Example /mail/dkim/signTable (maps domain => DNS txt record name):

Example /mail/dkim/keyTable (maps DNS txt record name => domain private key):

Configure Postfix

In /etc/postfix/

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12000
non_smtpd_milters = inet:localhost:12000

That assumes you've setup /etc/default/opendkim to use port 12000 and localhost/ to bind to.

Generate Keys

To generate a private/public key combo for a domain, simply:

opendkim-genkey -d

This creates two files: default.txt, which is a TXT record you need to apply on your DNS server, and default.private, which needs to be placed according to the OpenDKIM configuration above (keyTable).

Running & Testing

Start OpenDKIM & restart Postfix:

service opendkim start
service postfix reload

If you send mail from any configured domains and watch /var/log/ you should see nothing mentioning OpenDKIM (if it works). However when you check the email source you should see the DKIM along with the email. Send an email to [email protected] and it'll automatically reply with DKIM test results (as well as SPF & DomainKeys testing) included.