DKIM configuration

Debian 6 – squeeze

It’s necessary to have package dkim-filter.

Key creation

mkdir /etc/mail
cd /etc/mail
dkim-genkey -d

Edit or create /etc/dkim-filter.conf

Domain         (if I need more domain - separate it by a comma and use KeyList instead of KeyFile)
KeyFile                 /etc/mail/default.private
Selector                default

KeyList example


Edit /etc/default/dkim-filter

SOCKET="inet:[email protected]"

Edit /etc/postfix/

# DKIM signature of SMTP server
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

It’s almost finished. Now add TXT DNS record:

myselector._domainkey 1800 TXT v=DKIM1; p=mykey

Debian 7 – Wheeze

Download and install opendkim with tools.

apt-get install opendkim opendkim-tools

Add configuration to /etc/opendkim.conf.

AutoRestart             Yes
AutoRestartRate         10/1h
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/run/opendkim/
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

Edit /etc/postfix/

milter_protocol = 2
milter_default_action = accept

#If there is existing spamassasin in avamis conf, just add at the end of the line opendkim.

smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock

#If there is only opendkim filter, add these lines.

smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/opendkim/opendkim.sock

Now it’s time to make dir for opendkim socket.

mkdir -p /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim/
usermod -a -G opendkim postfix

Generating keys.

mkdir /etc/opendkim
mkdir /etc/opendkim/keys
cd /etc/opendkim/keys
opendkim-genkey -s mail -d
chown opendkim:opendkim mail.private

Parameter -s is for selector, d is domain. In mail.txt you can find txt entry for DNS record.

Specify trusted hosts /etc/opendkim/TrustedHosts.

Create a key table /etc/opendkim/KeyTable.

Create a signing table /etc/opendkim/SigningTable.


And last step is

service opendkim restart
service postfix restart

Debian 8 – Jessie

Create the domain key.

mkdir -p /etc/dkim/amavisd-new 
genrsa /etc/dkim/example.key.pem

Configure amavisd to use the new key /etc/amavis/conf.d/50-user.

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

dkim_key('', 'foo', '/var/db/dkim/example.key.pem');

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

@mynetworks = qw(;  # list your internal networks

To view the public key.

amavisd-new showkeys

Testing the key.

amavisd-new testkeys

If everything is ok, restart amavis.

service amavis restart


Napsat komentář

Vaše e-mailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *