Domain digital signature (DKIM) allows you to additionally confirm the owner of the domain by adding a key to the message header, which in turn is checked by the recipient's server against the public key specified in the TXT DNS record of the sender's domain. This setting is optional, but it significantly reduces the chance of a message being categorized as spam and makes the message more trustworthy on the part of the recipient.
1. Install the necessary packages:
apt-get install opendkim opendkim-tools
2. Setup and activation.
Let's remove the existing default settings and bring the file to the form:
nano /etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301@localhost
Comment out the default line and replace it with the following:
nano /etc/default/opendkim
SOCKET="inet:12301@localhost"
Add settings to postfix:
nano /etc/postfix/main.cf
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
Let's create directories for storing key data and mail domain mapping tables:
mkdir /etc/opendkim
mkdir /etc/opendkim/keys
Create a file of trusted hosts and domains:
nano /etc/opendkim/TrustedHosts
127.0.0.1
localhost
192.168.0.1/24
*.
#.my-domain.net
#.my-domain.org
Let's create a domain-secret key mapping file:
nano /etc/opendkim/KeyTable
mail._domainkey. :mail:/etc/opendkim/keys//mail.private
#mail._domainkey.my-domain.net my-domain.net:mail:/etc/opendkim/keys/my-domain.net/mail.private
#mail._domainkey.my-domain.org my-domain.org:mail:/etc/opendkim/keys/my-domain.org/mail.private
Let's create a file that will contain settings that determine which address to which key to add:
nano /etc/opendkim/SigningTable
*@ mail._domainkey.
#@my-domain.net mail._domainkey.my-domain.net
#@my-domain.org mail._domainkey.my-domain.org
Let's create a directory and the key files themselves for our domain:
cd /etc/opendkim/keys
mkdir
cd
opendkim-genkey -s mail -d
chown opendkim:opendkim mail.private
-s specifies a selector -d specifies a domain. The command will create two files where mail.private contains the private key and mail.txt contains the public key.
We will use this key in DNS:
nano -$ mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Ru/oMs+d2y93gZVq81J7hZfe31GR3177XQ5dI0r8zFqh86K1pgcdvCbpaAzXw9x25
/9BUe2ot9gpxjnt5SD+dDyereVKdkIQdkJBTl21Ei8ShJf+iIyYn5/skzLYS5RzlreBGoSGT6mtfnhzRX1A18X52oZrAfUJIXqAX14LYFq
/B5Wkw8vcUiU1CrR7lteH1vCu0JQtE16CK"
"vj86V06SxtKNEiRDqHZXo5+SqjzB2qHeteTGTyxA1dBmyKGCP6cVTkU3P0unOtsDLO+47YTUC55db34DKjjr18Lny0gf0d6oT0OvCZU5m5O3v
QunxQtSPD4+Hb75xrMJqqSlXtswIDAQAB" )
Let's bring this record to its normal form by removing the quotes, and so that the key is in one line, after which we add this TXT record to the DNS of our domain:
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBI...IDAQAB"
You can check the entry with the command:
nslookup -q=TXT mail._domainkey. 8.8.8.8
To apply the settings, restart the services:
service postfix restart
service opendkim restart
DKIM setup is completed, you can check its operation by sending an email to: check-auth@verifier.port25.com
If everything is configured correctly, you will receive a report containing the line: DKIM check: pass.