DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows recipients to verify that an email message truly came from the domain that it claims to have come from. Because spam often contains counterfeit headers, this type of authentication is required. DKIM uses public-key cryptography to enable senders to electronically sign valid emails in a way that recipients can verify. DKIM also protects mail from tampering, providing nearly end-to-end integrity from the signature to the validating Mail Transfer Agent (MTA).
Different Operating Systems and MTAs use various ways to implement DKIM. For example, Linux uses Postfix as its default MTA, so it makes sense for us to cover the steps of OpenDKIM implementation on Postfix for CentOS users. You’ll learn how to install and configure Postfix OpenDKIM on CentOS 8.
How to Install and Configure OpenDKIM with Postfix on CentOS Linux
Step 1: Installation
1. First, install OpenDKIM.
sudo yum install opendkim
Step 2: OpenDKIM Configuration
2. Edit OpenDKIM main configuration file
sudo nano /etc/opendkim.conf
3. Find the “Mode v” line, and change it to “Mode sv”
By default, OpenDKIM is set to verification mode (v), which verifies the DKIM signatures of receiving email messages. Changing the mode to “sv,” will let us activate the signing mode for outgoing emails.
4. In the same OpenDKIM Configuration file, find the following lines and remove the Comment (#)
Keyfile
KeyTable
SigningTable
ExternalIgnoreList
InternalHosts
5. At the end of this file, add your
Domain yourdomain.com
and add
RequireSafeKeys False
6. Next, we need to edit the signing table file
sudo nano /etc/opendkim/SigningTable
7. Add the following line at the end of this file. This tells OpenDKIM that if a sender on your server is using any @yourdomain.com address (in this example, *@easydmarc.me), then it should be signed with the key identified by default._domainkey.yourdomain.com (in this example, default._domainkey.easydmarc.me)
*@yourdomain.com yourselector._domainkey.yourdomain.com
Note: default is the DKIM selector. A domain might have multiple DKIM Signatures. The DKIM selector allows you to choose a particular DKIM Key. You can use any name of your choice, but make sure you don’t have a DKIM Signature already implemented with the same selector name.
8. Save and close the OpenDKIM main configuration file
9. Now, edit the KeyTable file.
sudo nano /etc/opendkim/KeyTable
Add the following line, which specifies the location of the DKIM private key.
youselector._domainkey.yourdomain.com yourdomain.com:selector:/etc/opendkim/keys/yourdomain.com/default.private
In this screenshot, selector is defined as default
10. Save and close the file.
11. Next, edit the OpenDKIM Trusted Hosts file.
sudo nano /etc/opendkim/TrustedHosts
127.0.0.0.1 and ::1 are included in this file by default.
12. Now add the following line: *.yourdomain.com
Step 3: Generate Private/Public Keys
1. Create a new directory for your domain
sudo mkdir /etc/opendkim/keys/yourdomain.com
2. Generate keys using opendkim-genkey tool
sudo opendkim-genkey -b 1024 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s yourselector -v
3. Make opendkim the key owner
sudo chown opendkim:opendkim /etc/opendkim/keys -R
Step 4: Publish the created public key in your DNS
1. Get and display the Public Key
sudo cat /etc/opendkim/keys/yourdomain.com/default.txt
2. Implement it in your DNS (In this example, Cloudflare).
Important Notes:
Name/Target: yourselector._domainkey
Content: Value you’ve copied in the previous stage. Make sure to remove any spaces or double-quotes.
3. After publishing DKIM Public key in your DNS, confirm DKIM is valid using EasyDMARC DKIM Lookup tool
Step 5: Connect Postfix to OpenDKIM
Now that you’ve configured OpenDKIM, it’s time to implement Postfix DKIM. Let’s follow the Postfix OpenDKIM configuration process.
1. Edit Postfix main configuration file
sudo nano /etc/postfix/main.cf
2. Add the following lines at the end of the “main.cf” file. This will let Postfix call OpenDKIM via the milter protocol
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
3. Save and close the file.
4. Restart OpenDKIM and Postfix
sudo service opendkim restart
sudo service postfix restart
Step 6: DKIM Check
1. Send a test email from your server to confirm that Postfix DKIM is working.
Congratulations, you’ve configured OpenDKIM on Postfix. Now you can be sure that your emails reach the recipients as they were sent, in their initial form.