How to Configure DKIM (OpenDKIM) with Postfix

DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows recipients to verify that an email message truly came from the domain that it claims to have come from. Because spam often contains counterfeit headers, this type of authentication is required. DKIM uses public-key cryptography to enable senders to electronically sign valid emails in a way that recipients can verify. DKIM also protects mail from tampering, providing nearly end-to-end integrity from the signature to the validating Mail Transfer Agent (MTA).

Different Operating Systems and MTAs use various ways to implement DKIM. For example, Linux uses Postfix as its default MTA, so it makes sense for us to cover the steps of OpenDKIM implementation on Postfix for CentOS users. You’ll learn how to install and configure Postfix OpenDKIM on CentOS 8.

How to Configure DKIM (OpenDKIM) with Postfix, EasyDMARC

How to Install and Configure OpenDKIM with Postfix on CentOS Linux 

Step 1: Installation

1. First, install OpenDKIM.

sudo yum install opendkim 

Step 2: OpenDKIM Configuration

2. Edit OpenDKIM main configuration file

sudo nano /etc/opendkim.conf

3. Find the “Mode v” line, and change it to “Mode sv”
By default, OpenDKIM is set to verification mode (v), which verifies the DKIM signatures of receiving email messages. Changing the mode to “sv,” will let us activate the signing mode for outgoing emails.

Change “Mode v” to “Mode sv”

4. In the same OpenDKIM Configuration file, find the following lines and remove the Comment (#)

Keyfile
KeyTable
SigningTable
ExternalIgnoreList
InternalHosts

Remove the Comment (#) for

5. At the end of this file, add your

Domain yourdomain.com

and add

RequireSafeKeys False

Add “RequireSafeKeys False”

6. Next, we need to edit the signing table file

sudo nano /etc/opendkim/SigningTable


7. Add the following line at the end of this file. This tells OpenDKIM that if a sender on your server is using any @yourdomain.com address (in this example, *@easydmarc.me), then it should be signed with the key identified by default._domainkey.yourdomain.com (in this example, default._domainkey.easydmarc.me)

*@yourdomain.com yourselector._domainkey.yourdomain.com

sudo nano /etc/opendkim/SigningTable

Note: default is the DKIM selector. A domain might have multiple DKIM Signatures. The DKIM selector allows you to choose a particular DKIM Key. You can use any name of your choice, but make sure you don’t have a DKIM Signature already implemented with the same selector name.

8. Save and close the OpenDKIM main configuration file

9. Now, edit the KeyTable file.

sudo nano /etc/opendkim/KeyTable


Add the following line, which specifies the location of the DKIM private key.

youselector._domainkey.yourdomain.com yourdomain.com:selector:/etc/opendkim/keys/yourdomain.com/default.private


In this screenshot, selector is defined as default

sudo nano /etc/opendkim/KeyTable

10. Save and close the file.

11. Next, edit the OpenDKIM Trusted Hosts file.

sudo nano /etc/opendkim/TrustedHosts


127.0.0.0.1 and ::1 are included in this file by default.

12. Now add the following line: *.yourdomain.com

sudo nano /etc/opendkim/TrustedHosts

Step 3: Generate Private/Public Keys

1. Create a new directory for your domain

sudo mkdir /etc/opendkim/keys/yourdomain.com

2. Generate keys using opendkim-genkey tool

sudo opendkim-genkey -b 1024 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s yourselector -v

sudo opendkim-genkey -b 1024 -d domain.com -D /etc/opendkim/keys/domain.com -s selector -v

3. Make opendkim the key owner

sudo chown opendkim:opendkim /etc/opendkim/keys -R 

Step 4: Publish the created public key in your DNS

1. Get and display the Public Key

sudo cat /etc/opendkim/keys/yourdomain.com/default.txt

sudo cat /etc/opendkim/keys/domain.com/default.txt

2. Implement it in your DNS (In this example, Cloudflare).
Important Notes:
Name/Target: yourselector._domainkey
Content: Value you’ve copied in the previous stage. Make sure to remove any spaces or double-quotes.

Implement the Public Key in your DNS

3. After publishing DKIM Public key in your DNS, confirm DKIM is valid using EasyDMARC DKIM Lookup tool

easydmarc dkim lookup tool

Step 5: Connect Postfix to OpenDKIM

Now that you’ve configured OpenDKIM, it’s time to implement Postfix DKIM. Let’s follow the Postfix OpenDKIM configuration process.

1. Edit Postfix main configuration file

sudo nano /etc/postfix/main.cf

2. Add the following lines at the end of the “main.cf” file. This will let Postfix call OpenDKIM via the milter protocol

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters milter_default_action = accept 

open dkim configuration

3. Save and close the file.

4. Restart OpenDKIM and Postfix

sudo service opendkim restart
sudo service postfix restart

Step 6: DKIM Check

1. Send a test email from your server to confirm that Postfix DKIM is working.

 

Send a Test email and confirm DKIM is working

Congratulations, you’ve configured OpenDKIM on Postfix. Now you can be sure that your emails reach the recipients as they were sent, in their initial form.

How DMARC Can Improve Email Deliverability?

How DMARC Can Improve Email Deliverability?

There’s no doubt that email marketing is an essential and powerful tool for any...

Read More
Email Security News Round-Up [September 2022]

Email Security News Round-Up [September 2022]

September was a busy month filled with email security news and cybersecurity news stories...

Read More
How to Increase Domain Reputation with SPF

How to Increase Domain Reputation with SPF

Is your email open rate decreasing? Noticing a higher bounce rate? Well, this could...

Read More