"DKIM (DomainKeys Identified Mail) "* is an E-mail authentication method designed to detect spoofing of email messages. Dkim allows the recipient to verify that the email was actually sent from a claimed domain.

    Install the OpenDKIM package. It performs the header encryption operations for DKIM.

    apt-get install opendkim opendkim-tools  

    Next, create a certificate for the domain, use opendkim-genkey and form it, create a directory to house the keys:

    mkdir /etc/opendkim  

    Generate the keys with the command ``:

    opendkim-genkey -D /etc/opendkim/ --domain testing.ru --selector dkim  
    • testing.ru - the domain from which the mail will be sent, dkim - selector name, it can be anything.

    In the folder /etc/opendkim/ should appear two files with the extensions .private (private key) and .txt (txt record).

    Set the opendkim owner group for the created keys:

    chown :opendkim /etc/opendkim/*  

    Set permissions for the owner group:

    chmod g+rw /etc/opendkim/*  
    useradd opendkim -m -s /sbin/nologin  

    Allow reading to the group owner:

    chmod g+r /etc/opendkim/*  

    Next, configure the ``DNS''.

    See the contents of the txt file:

    cat /etc/opendkim/dkim.txt  

    Using this content, in the [DNS] control panel (https://fornex.com/help/dns/) we create a TXT record in the following format:

    dkim._domainkey IN TXT ("v=DKIM1; k=rsa; "  
    • dkim is the name of our selector, p=MIGfMA0GCSqG...uySVMiwIDAQAB is an abbreviated public key entry.

    OpenDKIM and Postfix configuration

    Open the opendkim configuration file.

    nano /etc/opendkim.conf  

    And make it look like this:

    AutoRestart Yes  
    AutoRestartRate 10/1h  
    Umask 002  
    Syslog yes  
    SyslogSuccess Yes  
    LogWhy Yes  
    Canonicalization relaxed/simple  
    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts  
    InternalHosts refile:/etc/opendkim/TrustedHosts  
    KeyTable refile:/etc/opendkim/KeyTable  
    SigningTable refile:/etc/opendkim/SigningTable  
    Mode sv  
    PidFile /var/run/opendkim/opendkim.pid  
    SignatureAlgorithm rsa-sha256  
    UserID opendkim:opendkim  
    Socket inet:[email protected]  
    • all parameters can be left as in the example, Socket - you can specify another port instead of 10021.

    Create a file of trusted hosts. It will contain the names of the hosts, domains and IP addresses that will be accepted as trusted and signed.

    nano /etc/opendkim/TrustedHosts  

    And enter the following:  

    Create a table KeyTable. It contains a list of matches between selectors, domains and private key files. The format of the entries:
    <селектор>._domainkey.<домен> <домен>:<селектор>:<путь к закрытому ключу>

    nano /etc/opendkim/KeyTable  

    And according to the format, we convert it to the right format:

    dkim._domainkey.testing.ru testing.ru:dkim:/etc/opendkim/dkim.private  

    Next we create a SigningTable. In this table we keep the correspondence between the defined email addresses and the entries in the KeyTable.

    nano /etc/opendkim/SigningTable  

    And make it look like this:

    *@testing.ru dkim._domainkey.testing.ru

    Start the opendkim service.

    service opendkim start  

    Open the Postfix configuration file .

    nano /etc/postfix/main.cf  

    Add or edit:

    milter_protocol = 2  
    milter_default_action = accept  
    smtpd_milters = inet:localhost:10021  
    non_smtpd_milters = inet:localhost:10021  
    • If smtpd_milters and non_smtpd_milters are present in the configuration file, the values in this example should be added to the existing ones.
    • 10021 is the opendkim operation port which was set in opendkim.conf.

    Restarting Postfix:

    service postfix restart  

    Send e-mail to different mail systems - mail.ru, gmail.com, yandex.ru.
    Open our e-mail and look at the headers (in mail.ru: More - Service headers).
    Find the following line, which means that the domain check based on DKIM is configured:
    dkim=pass header.d=testing.ru