Fight against spam part 2 – Postfix DKIM

DomainKeys Identified Mail (DKIM) – is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam. – Wikipedia

This is a continuation of topic about fighting against spam when you are self-hosting your mail server which in this case should be Postfix.

Install needed packages:

apt-get install opendkim opendkim-tools

Let us configure opendkim, if 12301port is use by some other service change it in below configuration:

#vim /etc/opendkim.conf

OversignHeaders         From
AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost
#vim /etc/default/opendkim


Add support for this tool inside postfix:

#vim /etc/postfix/

milter_protocol = 2
milter_default_action = accept

smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

If we already have something in lines smtpd_milters i/lub non_smtpd_milters we can add new tools after comma.

Create needed folders and configuration files, which we used as table source in configuration above:

mkdir -p /etc/opendkim/keys

#vim /etc/opendkim/TrustedHosts

#vim /etc/opendkim/KeyTable

#vim /etc/opendkim/SigningTable


Let us generate keys to use with DKIM:

mkdir /etc/opendkim/keys/
cd /etc/opendkim/keys/
opendkim-genkey -s mail -d
chown opendkim:opendkim mail.private

Now we need to add proper key to TXT record in our DNS server:

cat /etc/opendkim/keys/

#bind9 TXT "v=DKIM1; k=rsa; p=VALUE_THAT_WE_GO_FROM_CAT_COMMAND_ABOVE" IN      TXT "dkim=unknown"
# unknown-some messages are sign some are not
# all-all messages are sign
# discardable - all messages are sign, if not discard them

We need to restart every service that we just edit configuration file:

service postfix restart
service opendkim restart
service bind9 restart

To ensure we configure this properly the best way would be send email to service that check this for us, for example: check-auth(at)

Rest post related to this topic:

Postfix i Dovecot – perfect duo for mail server

Fight against spam part 1 – Postfix SPF

Fight against spam part 3 – Postfix DMARC

Fight against spam part 4 – Postfix SpamAssassin

Fight against spam part 5 – Dovecot Sieve

Leave a Reply

Your email address will not be published. Required fields are marked *