OpenDKIM + Postfix for Ubuntu

Postfix and OpenDKIM configuration instructions

To set up DKIM on a VPS or a dedicated server, you need to install and configure OpenDKIM. This allows you to verify the authenticity of your outgoing emails and increases trust in your messages.

“DKIM (DomainKeys Identified Mail)” is an email authentication method designed to detect message forgery. DKIM lets the recipient confirm that an email was actually sent from the claimed domain.

Install the OpenDKIM package, which handles the encryption of headers for DKIM:

apt-get install opendkim opendkim-tools

Create a directory to store the keys:

mkdir /etc/opendkim

Generate keys for your domain using opendkim-genkey:

opendkim-genkey -D /etc/opendkim/ --domain testing.ru --selector dkim

Note

testing.ru is the domain from which emails will be sent, and dkim is the selector name (it can be anything).

In the /etc/opendkim/ directory, two files will appear: .private (the private key) and .txt (the TXT record for DNS).

Assign the opendkim group as the owner of the keys:

chown :opendkim /etc/opendkim/*

Set group permissions:

chmod g+rw /etc/opendkim/*

Create a user for OpenDKIM:

useradd opendkim -m -s /sbin/nologin

Allow the group to read the files:

chmod g+r /etc/opendkim/*

DNS Configuration

Check the contents of the TXT file:

cat /etc/opendkim/dkim.txt

Use this to create a TXT record in your DNS control panel:

dkim._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDM+aKFwMV4FHLhghuhQs4vEIIIigO0KzRwQojURHI8QV0m/aHt6AqO2JDhXpl54d3uXJj7QWE9653McQZxPQZa6Hu34RY70ap9OZQ664fWeVuyUAZ+VeQ7gGXQBCxPF6nAlnBIsYak+KV/s1HtaUuySVMiwIDAQAB"
  • dkim is the selector name, and p=MIGfMA0GCSqG... is the public key.

OpenDKIM and Postfix Configuration

Open the opendkim.conf file:

nano /etc/opendkim.conf

Example configuration:

AutoRestart             Yes
AutoRestartRate         10/1h
Umask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  inet:10021@localhost

All parameters can remain as shown; the Socket port can be changed if needed.

Create the TrustedHosts file:

nano /etc/opendkim/TrustedHosts

Add the following:

127.0.0.1
localhost
*.testing.ru
  • testing.ru is your mail domain.

Create the KeyTable:

nano /etc/opendkim/KeyTable

Example entry:

dkim._domainkey.testing.ru testing.ru:dkim:/etc/opendkim/dkim.private

Create the SigningTable:

nano /etc/opendkim/SigningTable

Example entry:

*@testing.ru dkim._domainkey.testing.ru

Start the OpenDKIM service:

service opendkim start

Open the Postfix configuration file:

nano /etc/postfix/main.cf

Add or edit the following:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:10021
non_smtpd_milters = inet:localhost:10021
  • If smtpd_milters and non_smtpd_milters already exist, append the new values.
  • The port 10021 should match the Socket setting in opendkim.conf.

Restart Postfix:

service postfix restart

Send a test email to various services like mail.ru, gmail.com, or yandex.ru.

Check the email headers for the line:

dkim=pass header.d=testing.ru

This confirms that DKIM is configured correctly.

Need help?Our engineers will help you free of charge with any question in minutesContact us