How to Configure DKIM (OpenDKIM) with Postfix

    DKIM (DomainKeys Identified Mail) is an email authentication protocol that allows recipients to verify that an email message truly came from the domain that it claims to have come from. Because spam often contains counterfeit headers, this type of authentication is required. DKIM uses public-key cryptography to enable senders to electronically sign valid emails in a way that recipients can verify. DKIM also protects mail from tampering, providing nearly end-to-end integrity from the signature to the validating Mail Transfer Agent (MTA).

    Different Operating Systems and MTAs use various ways to implement DKIM. For example, Linux uses Postfix as its default MTA, so it makes sense for us to cover the steps of OpenDKIM implementation on Postfix for CentOS users. You’ll learn how to install and configure Postfix OpenDKIM on CentOS 8.

    How to Install and Configure OpenDKIM with Postfix on CentOS Linux 

    Step 1: Installation

    1. First, install OpenDKIM.

    sudo yum install opendkim 

    Step 2: OpenDKIM Configuration

    2. Edit OpenDKIM main configuration file

    sudo nano /etc/opendkim.conf

    3. Find the “Mode v” line, and change it to “Mode sv”
    By default, OpenDKIM is set to verification mode (v), which verifies the DKIM signatures of receiving email messages. Changing the mode to “sv,” will let us activate the signing mode for outgoing emails.

    Change “Mode v” to “Mode sv”

    4. In the same OpenDKIM Configuration file, find the following lines and remove the Comment (#)

    Keyfile
    KeyTable
    SigningTable
    ExternalIgnoreList
    InternalHosts

    Remove the Comment (#) for

    5. At the end of this file, add your

    Domain yourdomain.com

    and add

    RequireSafeKeys False

    Add “RequireSafeKeys False”

    6. Next, we need to edit the signing table file

    sudo nano /etc/opendkim/SigningTable


    7. Add the following line at the end of this file. This tells OpenDKIM that if a sender on your server is using any @yourdomain.com address (in this example, *@easydmarc.me), then it should be signed with the key identified by default._domainkey.yourdomain.com (in this example, default._domainkey.easydmarc.me)

    *@yourdomain.com yourselector._domainkey.yourdomain.com

    sudo nano /etc/opendkim/SigningTable

    Note: default is the DKIM selector. A domain might have multiple DKIM Signatures. The DKIM selector allows you to choose a particular DKIM Key. You can use any name of your choice, but make sure you don’t have a DKIM Signature already implemented with the same selector name.

    8. Save and close the OpenDKIM main configuration file

    9. Now, edit the KeyTable file.

    sudo nano /etc/opendkim/KeyTable


    Add the following line, which specifies the location of the DKIM private key.

    youselector._domainkey.yourdomain.com yourdomain.com:selector:/etc/opendkim/keys/yourdomain.com/default.private


    In this screenshot, selector is defined as default

    sudo nano /etc/opendkim/KeyTable

    10. Save and close the file.

    11. Next, edit the OpenDKIM Trusted Hosts file.

    sudo nano /etc/opendkim/TrustedHosts


    127.0.0.0.1 and ::1 are included in this file by default.

    12. Now add the following line: *.yourdomain.com

    sudo nano /etc/opendkim/TrustedHosts

    Step 3: Generate Private/Public Keys

    1. Create a new directory for your domain

    sudo mkdir /etc/opendkim/keys/yourdomain.com

    2. Generate keys using opendkim-genkey tool

    sudo opendkim-genkey -b 1024 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s yourselector -v

    sudo opendkim-genkey -b 1024 -d domain.com -D /etc/opendkim/keys/domain.com -s selector -v

    3. Make opendkim the key owner

    sudo chown opendkim:opendkim /etc/opendkim/keys -R 

    Step 4: Publish the created public key in your DNS

    1. Get and display the Public Key

    sudo cat /etc/opendkim/keys/yourdomain.com/default.txt

    sudo cat /etc/opendkim/keys/domain.com/default.txt

    2. Implement it in your DNS (In this example, Cloudflare).
    Important Notes:
    Name/Target: yourselector._domainkey
    Content: Value you’ve copied in the previous stage. Make sure to remove any spaces or double-quotes.

    Implement the Public Key in your DNS

    3. After publishing DKIM Public key in your DNS, confirm DKIM is valid using EasyDMARC DKIM Lookup tool

    easydmarc dkim lookup tool

    Step 5: Connect Postfix to OpenDKIM

    Now that you’ve configured OpenDKIM, it’s time to implement Postfix DKIM. Let’s follow the Postfix OpenDKIM configuration process.

    1. Edit Postfix main configuration file

    sudo nano /etc/postfix/main.cf

    2. Add the following lines at the end of the “main.cf” file. This will let Postfix call OpenDKIM via the milter protocol

    smtpd_milters = inet:127.0.0.1:8891
    non_smtpd_milters = $smtpd_milters milter_default_action = accept 

    open dkim configuration

    3. Save and close the file.

    4. Restart OpenDKIM and Postfix

    sudo service opendkim restart
    sudo service postfix restart

    Step 6: DKIM Check

    1. Send a test email from your server to confirm that Postfix DKIM is working.

     

    Send a Test email and confirm DKIM is working

    Congratulations, you’ve configured OpenDKIM on Postfix. Now you can be sure that your emails reach the recipients as they were sent, in their initial form.

    Learn about SPF, DKIM, DMARC, Subscribe to our newsletter.

    Subscribe

      We're glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.