Installing OpenDKIM
08-10-2014, 11:59 PM
(This post was last modified: 08-11-2014, 04:42 PM by sgtmudd.)
This guide will show you how to install and configure the OpenDKIM on your centos 6.5 and Ubuntu server. Before we start, I would just like to put out from the wiki what DKIM is. Just in case anyone doesn't know.
First things first, we always need to ensure our system is up to date. So lets do that first. (This guide also assumes that you are not using the root account, that you are using another account, that can get root permissions.
CentOS
Ubuntu
In CentOS you need to enable the Epel repo, if you haven't already. Just do the following.
Once you have done that you are ready to install the OpenDKIM and its dependencies.
CentOS
Ubuntu
Okay so now we are at the fun part Configuring it and getting it all setup to run. So using your fav editor after your backup the default config, open OpenDKIM.conf found at /etc/opendkim.conf.
Now once this is open, I found it a lot easier just to delete all the comments and that around it, as we have a backup we can always go there or the opendkim for information. So either delete everything in the .conf or you can change the settings to like I have below;
Great, not we need to set up our private and public keys, to do that we just do the following, and change the yourdomain.com to the domain you are setting up the keys for. (If you have more domains you would like to sign, you can also do that here just repeat this step with the new domain.)
Okay so now we have to add this new key to the KeyTable. Again you will have to repeat this step depending on how many domains you are trying to set up with OpenDKIM. This file can be found at /etc/opendkim/KeyTable
Paste in the following;
Next we need to edit /etc/opendkim/SigningTable a new record in the DKIMsigning table. The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account.
The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account.
Great so now we need to add our hostname, localhost and the domain(s) we are going to have signing for in the trusted hosts file located at, /etc/opendkim/TrustedHosts
However before doing this, as I also had some issues with this and not getting OpenDKIM to work, and truly it was a very simple fix. Type in hostname in your terminal, which will provide you with the hostname of you server.
So go ahead and run
Make it look something like this.
Great almost finished now we just need to update some DNS. I use Cloudflare for my dns, you can use which ever you like or if your domain provider offers it, you can use theres. First we got to get the information we are going to be putting there, which would be found in /etc/opendkim/keys/yourdomain.com/default.txt
You should see something like the following;
So now with this information we are going to make a new txt dns zone with the name default._domainkey and we are going to post the the following in the value.
Yours will totally be different so don't just copy and paste this one. Below is a screen shot of how mine looks.
Okay so now we need to edit postfix and let it know that we have a new milter. Open /etc/postfix/main.cf and paste the following;
Once that is done, you just have to restart the services.
Once that has beed restarted and everything is up and running you just have to test and ensure you are sending signed emails. Which you can do by emailing say a gmail account that you own, and looking at the headers, you should see something like mailed-by; yourdomain.com signed-by: yourdomain.com
Or you can simply email check-auth2@verifier.port25.com and you will get a email back with the information if it is signed, spam etc, in about 5-10 minutes.
You would get something like the following back;
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail Wrote:DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. A digital signature included with the message can be validated by the recipient using the signer's public key published in the DNS.
First things first, we always need to ensure our system is up to date. So lets do that first. (This guide also assumes that you are not using the root account, that you are using another account, that can get root permissions.
CentOS
Code:
sudo Yum update
Ubuntu
Code:
sudo apt-get update
In CentOS you need to enable the Epel repo, if you haven't already. Just do the following.
Code:
sudo wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
sudo rpm -Uvh /tmp/epel-release-6-8.noarch.rpm
sudo rm -f /tmp/epel-release-6-8.noarch.rpm
Once you have done that you are ready to install the OpenDKIM and its dependencies.
CentOS
Code:
sudo yum install opendkim
Ubuntu
Code:
sudo apt-get install opendkim opendkim-tools
Okay so now we are at the fun part Configuring it and getting it all setup to run. So using your fav editor after your backup the default config, open OpenDKIM.conf found at /etc/opendkim.conf.
Code:
sudo vim /etc/opendkim.conf
Now once this is open, I found it a lot easier just to delete all the comments and that around it, as we have a backup we can always go there or the opendkim for information. So either delete everything in the .conf or you can change the settings to like I have below;
Code:
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
Great, not we need to set up our private and public keys, to do that we just do the following, and change the yourdomain.com to the domain you are setting up the keys for. (If you have more domains you would like to sign, you can also do that here just repeat this step with the new domain.)
Code:
sudo mkdir /etc/opendkim/keys/yourdomain.com
sudo opendkim-genkey -D /etc/opendkim/keys/yourdomain.com/ -d yourdomain.com -s default
sudo chown -R opendkim: /etc/opendkim/keys/yourdomain.com
sudo mv /etc/opendkim/keys/yourdomain.com/default.private /etc/opendkim/keys/yourdomain.com/default
Okay so now we have to add this new key to the KeyTable. Again you will have to repeat this step depending on how many domains you are trying to set up with OpenDKIM. This file can be found at /etc/opendkim/KeyTable
Code:
sudo vi /etc/opendkim/KeyTable
Paste in the following;
Code:
default._domainkey.yourdomain.com youdomain.com:default:/etc/opendkim/keys/yourdomain.com/default
Next we need to edit /etc/opendkim/SigningTable a new record in the DKIMsigning table. The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account.
Code:
*@yourdomain.com default._domainkey.yourdomain.com
The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account.
Code:
support@yourdomain.com default._domainkey.yourdomain.com # This would only sign the support email.
Great so now we need to add our hostname, localhost and the domain(s) we are going to have signing for in the trusted hosts file located at, /etc/opendkim/TrustedHosts
However before doing this, as I also had some issues with this and not getting OpenDKIM to work, and truly it was a very simple fix. Type in hostname in your terminal, which will provide you with the hostname of you server.
So go ahead and run
Code:
sudo vi /etc/opendkim/TrustedHosts
Make it look something like this.
Code:
127.0.0.1
yourdomain.com
host.yourdomain.com
is your hostname.
Great almost finished now we just need to update some DNS. I use Cloudflare for my dns, you can use which ever you like or if your domain provider offers it, you can use theres. First we got to get the information we are going to be putting there, which would be found in /etc/opendkim/keys/yourdomain.com/default.txt
Code:
sudo vi /etc/opendkim/keys/yourdomain.com/default.txt
You should see something like the following;
Code:
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" ) ; ----- DKIM key default for yourdomain.com
So now with this information we are going to make a new txt dns zone with the name default._domainkey and we are going to post the the following in the value.
Code:
v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"
Yours will totally be different so don't just copy and paste this one. Below is a screen shot of how mine looks.
Okay so now we need to edit postfix and let it know that we have a new milter. Open /etc/postfix/main.cf and paste the following;
Code:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
Once that is done, you just have to restart the services.
Code:
sudo service opendkim start
sudo chkconfig opendkim on
sudo service postfix restart
Once that has beed restarted and everything is up and running you just have to test and ensure you are sending signed emails. Which you can do by emailing say a gmail account that you own, and looking at the headers, you should see something like mailed-by; yourdomain.com signed-by: yourdomain.com
Or you can simply email check-auth2@verifier.port25.com and you will get a email back with the information if it is signed, spam etc, in about 5-10 minutes.
You would get something like the following back;
Code:
This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com. The service allows email senders to perform
a simple check of various sender authentication mechanisms. It is provided
free of charge, in the hope that it is useful to the email community. While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.
Thank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham