Image

Knowledge base → Setting up a DKIM digital signature in Postfix

[Virtual servers]
Date of publication: 30.05.2023

Domain digital signature (DKIM) allows you to additionally confirm the owner of the domain by adding a key to the message header, which in turn is checked by the recipient's server against the public key specified in the TXT DNS record of the sender's domain. This setting is optional, but it significantly reduces the chance of a message being categorized as spam and makes the message more trustworthy on the part of the recipient.

1. Install the necessary packages:

apt-get install opendkim opendkim-tools

2. Setup and activation.

Let's remove the existing default settings and bring the file to the form:

nano /etc/opendkim.conf

AutoRestart Yes AutoRestartRate 10/1h UMask 002 Syslog yes SyslogSuccess Yes LogWhy Yes

Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable

Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256

UserID opendkim:opendkim

Socket inet:12301@localhost

Comment out the default line and replace it with the following:

nano /etc/default/opendkim

SOCKET="inet:12301@localhost"

Add settings to postfix:

nano /etc/postfix/main.cf

milter_protocol = 2 milter_default_action = accept

smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301

Let's create directories for storing key data and mail domain mapping tables:

mkdir /etc/opendkim
mkdir /etc/opendkim/keys

Create a file of trusted hosts and domains:

nano /etc/opendkim/TrustedHosts

127.0.0.1 localhost 192.168.0.1/24

*.my-domain.com

#.my-domain.net #.my-domain.org

Let's create a domain-secret key mapping file:

nano /etc/opendkim/KeyTable

mail._domainkey.my-domain.com my-domain.com:mail:/etc/opendkim/keys/my-domain.com/mail.private

#mail._domainkey.my-domain.net my-domain.net:mail:/etc/opendkim/keys/my-domain.net/mail.private #mail._domainkey.my-domain.org my-domain.org:mail:/etc/opendkim/keys/my-domain.org/mail.private

Let's create a file that will contain settings that determine which address to which key to add:

nano /etc/opendkim/SigningTable

*@my-domain.com mail._domainkey.my-domain.com

#@my-domain.net mail._domainkey.my-domain.net #@my-domain.org mail._domainkey.my-domain.org

Let's create a directory and the key files themselves for our domain:

cd /etc/opendkim/keys
mkdir my-domain.com
cd my-domain.com
opendkim-genkey -s mail -d my-domain.com
chown opendkim:opendkim mail.private

-s specifies a selector -d specifies a domain. The command will create two files where mail.private contains the private key and mail.txt contains the public key.

We will use this key in DNS:

nano -$ mail.txt

mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Ru/oMs+d2y93gZVq81J7hZfe31GR3177XQ5dI0r8zFqh86K1pgcdvCbpaAzXw9x25 /9BUe2ot9gpxjnt5SD+dDyereVKdkIQdkJBTl21Ei8ShJf+iIyYn5/skzLYS5RzlreBGoSGT6mtfnhzRX1A18X52oZrAfUJIXqAX14LYFq /B5Wkw8vcUiU1CrR7lteH1vCu0JQtE16CK" "vj86V06SxtKNEiRDqHZXo5+SqjzB2qHeteTGTyxA1dBmyKGCP6cVTkU3P0unOtsDLO+47YTUC55db34DKjjr18Lny0gf0d6oT0OvCZU5m5O3v QunxQtSPD4+Hb75xrMJqqSlXtswIDAQAB" )

Let's bring this record to its normal form by removing the quotes, and so that the key is in one line, after which we add this TXT record to the DNS of our domain:

mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBI...IDAQAB"

You can check the entry with the command:

nslookup -q=TXT mail._domainkey.my-domain.com 8.8.8.8

To apply the settings, restart the services:

service postfix restart
service opendkim restart

DKIM setup is completed, you can check its operation by sending an email to: check-auth@verifier.port25.com

If everything is configured correctly, you will receive a report containing the line: DKIM check: pass.





No Comments Yet