"DKIM (DomainKeys Identified Mail) "* is an E-mail authentication method designed to detect spoofing of email messages. Dkim allows the recipient to verify that the email was actually sent from a claimed domain.
Install the OpenDKIM package. It performs the header encryption operations for DKIM.
apt-get install opendkim opendkim-tools
Next, create a certificate for the domain, use opendkim-genkey and form it, create a directory to house the keys:
mkdir /etc/opendkim
Generate the keys with the command ``:
opendkim-genkey -D /etc/opendkim/ --domain testing.ru --selector dkim
- testing.ru - the domain from which the mail will be sent, dkim - selector name, it can be anything.
In the folder /etc/opendkim/ should appear two files with the extensions .private (private key) and .txt (txt record).
Set the opendkim owner group for the created keys:
chown :opendkim /etc/opendkim/*
Set permissions for the owner group:
chmod g+rw /etc/opendkim/*
useradd opendkim -m -s /sbin/nologin
Allow reading to the group owner:
chmod g+r /etc/opendkim/*
Next, configure the ``DNS''.
See the contents of the txt file:
cat /etc/opendkim/dkim.txt
Using this content, in the [DNS] control panel (https://fornex.com/help/dns/) we create a TXT record in the following format:
dkim._domainkey IN TXT ("v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDM+aKFwMV4FHLhuhQs4vEIIIigO0KzRwQojUR8QV0m/aHt6AqO2JDhXpl54d3uXJj7QWE9653McQZxPQZa6Hu34RY70ap9OZQ664fWeVuyUAZ+VeQ7gGXQBCxPF6nAlnBIsYak+KV/s1HtaUuySVMiwIDAQAB"
- dkim is the name of our selector, p=MIGfMA0GCSqG...uySVMiwIDAQAB is an abbreviated public key entry.
OpenDKIM and Postfix configuration
Open the opendkim configuration file.
nano /etc/opendkim.conf
And make it look like this:
AutoRestart Yes
AutoRestartRate 10/1h
Umask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:10021@localhost
- all parameters can be left as in the example, Socket - you can specify another port instead of 10021.
Create a file of trusted hosts. It will contain the names of the hosts, domains and IP addresses that will be accepted as trusted and signed.
nano /etc/opendkim/TrustedHosts
And enter the following:
127.0.0.1
localhost
*.testing.ru
- where testing.ru is the mail domain.
Create a table KeyTable. It contains a list of matches between selectors, domains and private key files. The format of the entries:
<селектор>._domainkey.<домен> <домен>:<селектор>:<путь к закрытому ключу>
nano /etc/opendkim/KeyTable
And according to the format, we convert it to the right format:
dkim._domainkey.testing.ru testing.ru:dkim:/etc/opendkim/dkim.private
Next we create a SigningTable. In this table we keep the correspondence between the defined email addresses and the entries in the KeyTable.
nano /etc/opendkim/SigningTable
And make it look like this:
*@testing.ru dkim._domainkey.testing.ru
Start the opendkim service.
service opendkim start
Open the Postfix configuration file .
nano /etc/postfix/main.cf
Add or edit:
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:10021
non_smtpd_milters = inet:localhost:10021
- If smtpd_milters and non_smtpd_milters are present in the configuration file, the values in this example should be added to the existing ones.
- 10021 is the opendkim operation port which was set in opendkim.conf.
Restarting Postfix:
service postfix restart
Send e-mail to different mail systems - mail.ru, gmail.com, yandex.ru.
Open our e-mail and look at the headers (in mail.ru: More - Service headers).
Find the following line, which means that the domain check based on DKIM is configured:
dkim=pass header.d=testing.ru