Identify your mail service with OpenDKIM and Postfix

Signing your emails with Domainkeys Identified Mail (DKIM) technology provide anti-spam and anti-phishing opportunity and best security experience. In this post I show how to configure OpenDKIM and Postfix.


As usual I make all configurations on CentOS 6 and Postfix 2.6.6 and OpenDKIM 2.10.3.


The installation process is pretty easy

yum install epel-release  
yum install opendkim  


The configuration can be splitted into two parts: opendkim and postfix configuration and DNS configuration. All my clients come from a local subnet

Lets start from OpenDKIM.

base configuration

Just update yours opendkim.conf file.

cat << EOF > /etc/opendkim.conf  
PidFile            /var/run/opendkim/  
Mode               sv  
Syslog             yes  
SyslogSuccess      yes  
LogWhy             yes  
UserID             opendkim:opendkim  
Socket             inet:8891@localhost  
Umask              002  
Canonicalization   relaxed/relaxed  
MinimumKeyBits     1024  
KeyTable           /etc/opendkim/KeyTable  
SigningTable       refile:/etc/opendkim/SigningTable  
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts  
InternalHosts      refile:/etc/opendkim/TrustedHosts  

As you can see I use the same ExternalIgnoreList and InternalHosts lists, because I planned to use this service only from my private mail sever (relay).

Signing table

Signing table is a table used to select one or more signatures to apply to a message based on the address found in the From: header field.

Lets create Signing table for domain with selector mail.

cat << EOF > /etc/opendkim/SigningTable  

This rule told to OpenDKIM to add signing to all emails from domain

Key table

Key table is told to OpenDKIM witch key will be used to signing for specific domain. For example.

cat << EOF > /etc/opendkim/KeyTable  

Trusted hosts

Then we create TrustedHosts list. As you can remember this list using by ExternalIgnoreList and InternalHosts.

As I says before -- my trusted private network is so I add all this subnet to TrustedHosts file.

cat << EOF > /etc/opendkim/TrustedHosts  

Note that you can specify as IP address or as CIDR address.

Generate keys

Now we need to generate our RSA key.

mkdir /etc/opendkim/keys/  
opendkim-genkey --restrict --bits=1024 --directory=/etc/opendkim/keys/ --selector=mail  

As you can see we are generate 1024 bit key length for domain Also we are set restrictions to use this key only with email service.

For this moment we are finish OpenDKIM configuration and can process to configuring out DNS record sets.

Add DNS record

Right DNS record set you can find near yours domain private key file.

cat /etc/opendkim/keys/  
mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; s=email; "  
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNVHEgWJ4tIjd52lePqWdtr1jhgxKJkuFpcy6oDMOrcWWxn2lACJF5MN2DdQsZM8KS9y1NHDqaQTESqBDXJfO5peoRxWqrkj9OcHcM+Er6vg2W4SKqIdzsoWeA2jk/nvZpInI4gbvBaIRMu98T5pKhZet/2xTzXOu/w9rgo6eokwIDAQAB" )  ; ----- DKIM key mail for

Update postfix configuration

To enable signing of our outbound email we should edit Postfix config too.

cat << EOF >> /etc/postfix/  
smtpd_milters = inet:localhost:8891  
non_smtpd_milters = inet:localhost:8891  
milter_default_action = accept  
service postfix reload  
service opendkim reload  

Test how identify service works

You can send a test email via your Postfix and should see into log the following message:

Nov 13 03:35:14 opendkim[7324]: 4C1641A80D80: DKIM-Signature field added (s=mail,  

That is mean is everything works fine.

See more