OpenDKIM + Postfix for Ubuntu
Postfix and OpenDKIM configuration instructions
To set up DKIM on a VPS or a dedicated server, you need to install and configure OpenDKIM. This allows you to verify the authenticity of your outgoing emails and increases trust in your messages.
“DKIM (DomainKeys Identified Mail)” is an email authentication method designed to detect message forgery. DKIM lets the recipient confirm that an email was actually sent from the claimed domain.
Install the OpenDKIM package, which handles the encryption of headers for DKIM:
apt-get install opendkim opendkim-tools
Create a directory to store the keys:
mkdir /etc/opendkim
Generate keys for your domain using opendkim-genkey
:
opendkim-genkey -D /etc/opendkim/ --domain testing.ru --selector dkim
Note
testing.ru
is the domain from which emails will be sent, and dkim
is the selector name (it can be anything).
In the /etc/opendkim/
directory, two files will appear: .private
(the private key) and .txt
(the TXT record for DNS).
Assign the opendkim group as the owner of the keys:
chown :opendkim /etc/opendkim/*
Set group permissions:
chmod g+rw /etc/opendkim/*
Create a user for OpenDKIM:
useradd opendkim -m -s /sbin/nologin
Allow the group to read the files:
chmod g+r /etc/opendkim/*
DNS Configuration
Check the contents of the TXT file:
cat /etc/opendkim/dkim.txt
Use this to create a TXT record in your DNS control panel:
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDM+aKFwMV4FHLhghuhQs4vEIIIigO0KzRwQojURHI8QV0m/aHt6AqO2JDhXpl54d3uXJj7QWE9653McQZxPQZa6Hu34RY70ap9OZQ664fWeVuyUAZ+VeQ7gGXQBCxPF6nAlnBIsYak+KV/s1HtaUuySVMiwIDAQAB"
dkim
is the selector name, andp=MIGfMA0GCSqG...
is the public key.
OpenDKIM and Postfix Configuration
Open the opendkim.conf
file:
nano /etc/opendkim.conf
Example configuration:
AutoRestart Yes
AutoRestartRate 10/1h
Umask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:10021@localhost
All parameters can remain as shown; the Socket port can be changed if needed.
Create the TrustedHosts file:
nano /etc/opendkim/TrustedHosts
Add the following:
127.0.0.1
localhost
*.testing.ru
testing.ru
is your mail domain.
Create the KeyTable:
nano /etc/opendkim/KeyTable
Example entry:
dkim._domainkey.testing.ru testing.ru:dkim:/etc/opendkim/dkim.private
Create the SigningTable:
nano /etc/opendkim/SigningTable
Example entry:
*@testing.ru dkim._domainkey.testing.ru
Start the OpenDKIM service:
service opendkim start
Open the Postfix configuration file:
nano /etc/postfix/main.cf
Add or edit the following:
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:10021
non_smtpd_milters = inet:localhost:10021
- If
smtpd_milters
andnon_smtpd_milters
already exist, append the new values. - The port 10021 should match the Socket setting in
opendkim.conf
.
Restart Postfix:
service postfix restart
Send a test email to various services like mail.ru, gmail.com, or yandex.ru.
Check the email headers for the line:
dkim=pass header.d=testing.ru
This confirms that DKIM is configured correctly.