Here we setup DKIM for use with Postfix. To build the DKIM's for each email, we use software called OpenDKIM. This sits on a port listening on localhost only, and Postfix will pass emails 'through' the OpenDKIM server which will apply the keys (where appropriate – ie only on mail from owned domains).
DKIM is a three step process:
- A private & public key is generated for each domain
- The public key then must be added to the domains DNS as a txt record
- OpenDKIM then signs the emails with the private key, and the public key is used to verify the email was sent from the domain owner (assumed: if you control the DNS you own/control the domain)
Firstly we need to install OpenDKIM, via apt-get in this case:
apt-get install opendkim opendkim-tools
Next to configure OpenDKIM, which uses two files /etc/opendkim.conf and /etc/default/opendkim. The second file simply lists the port and IP to bind to. The most important part is telling OpenDKIM where to locate a few files (key table, signing table & hosts lists):
KeyTable /mail/dkim/keyTable SigningTable /mail/dkim/signTable ExternalIgnoreList /mail/dkim/hosts InternalHosts /mail/dkim/hosts
Example /mail/dkim/hosts (simple list of domains):
Example /mail/dkim/signTable (maps domain => DNS txt record name):
afterburst.com default._domainkey.afterburst.com example.com default._domainkey.example.com
Example /mail/dkim/keyTable (maps DNS txt record name => domain private key):
default._domainkey.afterburst.com afterburst.com:default:/mail/dkim/keys/afterburst.com/default.private default._domainkey.example.com example.com:default:/mail/dkim/keys/example.com/default.private
#dkim milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:12000 non_smtpd_milters = inet:localhost:12000
That assumes you've setup /etc/default/opendkim to use port 12000 and localhost/127.0.0.1 to bind to.
To generate a private/public key combo for a domain, simply:
opendkim-genkey -d example.com
This creates two files: default.txt, which is a TXT record you need to apply on your DNS server, and default.private, which needs to be placed according to the OpenDKIM configuration above (keyTable).
Running & Testing
Start OpenDKIM & restart Postfix:
service opendkim start service postfix reload
If you send mail from any configured domains and watch /var/log/mail.info you should see nothing mentioning OpenDKIM (if it works). However when you check the email source you should see the DKIM along with the email. Send an email to email@example.com and it'll automatically reply with DKIM test results (as well as SPF & DomainKeys testing) included.