"DKIM (DomainKeys Identified Mail) "* is an E-mail authentication method designed to detect spoofing of email messages. Dkim allows the recipient to verify that the email was actually sent from a claimed domain.

Install the OpenDKIM package. It performs the header encryption operations for DKIM.

apt-get install opendkim opendkim-tools  

Next, create a certificate for the domain, use opendkim-genkey and form it, create a directory to house the keys:

mkdir /etc/opendkim  

Generate the keys with the command ``:

opendkim-genkey -D /etc/opendkim/ --domain testing.ru --selector dkim  
  • testing.ru - the domain from which the mail will be sent, dkim - selector name, it can be anything.

In the folder /etc/opendkim/ should appear two files with the extensions .private (private key) and .txt (txt record).

Set the opendkim owner group for the created keys:

chown :opendkim /etc/opendkim/*  

Set permissions for the owner group:

chmod g+rw /etc/opendkim/*  
useradd opendkim -m -s /sbin/nologin  

Allow reading to the group owner:

chmod g+r /etc/opendkim/*  

Next, configure the ``DNS''.

See the contents of the txt file:

cat /etc/opendkim/dkim.txt  

Using this content, in the [DNS] control panel (https://fornex.com/help/dns/) we create a TXT record in the following format:

dkim._domainkey IN TXT ("v=DKIM1; k=rsa; "  
  • dkim is the name of our selector, p=MIGfMA0GCSqG...uySVMiwIDAQAB is an abbreviated public key entry.

OpenDKIM and Postfix configuration

Open the opendkim configuration file.

nano /etc/opendkim.conf  

And make it look like this:

AutoRestart Yes  
AutoRestartRate 10/1h  
Umask 002  
Syslog yes  
SyslogSuccess Yes  
LogWhy Yes  
Canonicalization relaxed/simple  
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts  
InternalHosts refile:/etc/opendkim/TrustedHosts  
KeyTable refile:/etc/opendkim/KeyTable  
SigningTable refile:/etc/opendkim/SigningTable  
Mode sv  
PidFile /var/run/opendkim/opendkim.pid  
SignatureAlgorithm rsa-sha256  
UserID opendkim:opendkim  
Socket inet:10021@localhost  
  • all parameters can be left as in the example, Socket - you can specify another port instead of 10021.

Create a file of trusted hosts. It will contain the names of the hosts, domains and IP addresses that will be accepted as trusted and signed.

nano /etc/opendkim/TrustedHosts  

And enter the following:  

Create a table KeyTable. It contains a list of matches between selectors, domains and private key files. The format of the entries:
<селектор>._domainkey.<домен> <домен>:<селектор>:<путь к закрытому ключу>

nano /etc/opendkim/KeyTable  

And according to the format, we convert it to the right format:

dkim._domainkey.testing.ru testing.ru:dkim:/etc/opendkim/dkim.private  

Next we create a SigningTable. In this table we keep the correspondence between the defined email addresses and the entries in the KeyTable.

nano /etc/opendkim/SigningTable  

And make it look like this:

*@testing.ru dkim._domainkey.testing.ru

Start the opendkim service.

service opendkim start  

Open the Postfix configuration file .

nano /etc/postfix/main.cf  

Add or edit:

milter_protocol = 2  
milter_default_action = accept  
smtpd_milters = inet:localhost:10021  
non_smtpd_milters = inet:localhost:10021  
  • If smtpd_milters and non_smtpd_milters are present in the configuration file, the values in this example should be added to the existing ones.
  • 10021 is the opendkim operation port which was set in opendkim.conf.

Restarting Postfix:

service postfix restart  

Send e-mail to different mail systems - mail.ru, gmail.com, yandex.ru.
Open our e-mail and look at the headers (in mail.ru: More - Service headers).
Find the following line, which means that the domain check based on DKIM is configured:
dkim=pass header.d=testing.ru

Updated Sept. 2, 2019