Stack Setup

Postfix DKIM Setup

Here we setup DKIM ( for use with Postfix. To build the DKIM's for each email, we use software called OpenDKIM. This sits on a port listening on localhost only, and Postfix will pass emails 'through' the OpenDKIM server which will apply the keys (where appropriate – ie only on mail from owned domains).

DKIM is a three step process:

Setup OpenDKIM

Firstly we need to install OpenDKIM, via apt-get in this case: apt-get install opendkim opendkim-tools

Next to configure OpenDKIM, which uses two files /etc/opendkim.conf and /etc/default/opendkim. The second file simply lists the port and IP to bind to. The most important part is telling OpenDKIM where to locate a few files (key table, signing table & hosts lists):

KeyTable        /mail/dkim/keyTable
SigningTable        /mail/dkim/signTable
ExternalIgnoreList  /mail/dkim/hosts
InternalHosts       /mail/dkim/hosts

Example /mail/dkim/hosts (simple list of domains):

Example /mail/dkim/signTable (maps domain => DNS txt record name):

Example /mail/dkim/keyTable (maps DNS txt record name => domain private key):

Configure Postfix

In /etc/postfix/

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12000
non_smtpd_milters = inet:localhost:12000

That assumes you've setup /etc/default/opendkim to use port 12000 and localhost/ to bind to.

Generate Keys

To generate a private/public key combo for a domain, simply:

opendkim-genkey -d

This creates two files: default.txt, which is a TXT record you need to apply on your DNS server, and default.private, which needs to be placed according to the OpenDKIM configuration above (keyTable).

Running & Testing

Start OpenDKIM & restart Postfix:

service opendkim start
service postfix reload

If you send mail from any configured domains and watch /var/log/ you should see nothing mentioning OpenDKIM (if it works). However when you check the email source you should see the DKIM along with the email. Send an email to and it'll automatically reply with DKIM test results (as well as SPF & DomainKeys testing) included.