How to configure OpenDKIM on Linux with Postfix and setup bind zonefile

This guide assumes you have a working Postfix server and want it to sign with DKIM.

There are a few things we  have to understand to make all of this work though, which require you to be familiar with DNS as well.

 

1.) Install OpenDKIM

apt install opendkim

systemctl enable opendkim

2.) Edit /etc/opendkim.conf

Syslog   yes
SyslogSuccess yes
Mode     sv
OmitHeaders .
Socket   inet:8891@localhost
Domain   yourdomain.com
KeyTable        /etc/opendkim/KeyTable
SigningTable   refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
UserID  opendkim:opendkim

3.) Create your first OpenDKIM Key for your domain

yourdomain=yourdomain.com

mkdir -p /etc/opendkim/keys/$yourdomain
cd /etc/opendkim/keys/$yourdomain
opendkim-genkey -r -d $yourdomain

4.) Configure KeyTable and SigningTable

 

#Add this line to /etc/opendkim/KeyTable

The "default" is what is called the selector, it could be nearly anything but we're calling it default here.  Be sure to change "yourdomain.com" to the actual domain you want DKIM signing for.

default._domainkey.yourdomain.com yourdomain.com:default:/etc/opendkim/keys/yourdomain.com/default.private

#Add this to line to /etc/opendkim/SigningTable

*@yourdomain.com default._domainkey.yourdomain.com

The * allows all e-mails from the domain to be signed, change it if this should not be the case.

Again, be sure you change yourdomain.com to your actual domain that you setup in the KeyTable in the previous step.

*Remember to restart opendkim after adding any new domain or the change will not be applied and e-mails will not be signed.

 

5.) Edit your Your DNS zonefile for yourname.com
 

Here's an example using bind/named:

#edit bind/named DNS entry for domain/zone

cat /etc/opendkim/keys/yourdomain.com/default.txt

Take the output of the above and then add it to your zonefile like below:

default._domainkey    IN    TXT    ( "v=DKIM1; k=rsa; s=email; "
      "p=blablabla" )  ; ----- DKIM key default for yourdomain.com


Be sure to change the blablabla to the output of /etc/opendkim/keys/yourdomain.com/default.txt

_dmarc.yourdomain.com.      IN     TXT    "v=DMARC1; p=quarantine; rua=mailto:someaddress@yourdomain.com"
 

Be sure to change someaddress@yourdomain.com to a real address for your domain, you will receive DMARC reports to this address.

Make sure your zonefile has a valid SPF record or none of this will work properly.

yourdomain.com.    IN TXT "v=spf1 a mx +all"

The above is a quick example of a zonefile entry in bind for SPF, it allows your domain's A record MX record to send mail and doesn't have a hard fail.  If for example you need to add another server's IP (perhaps another server needs to send mail for yourdomain.com) then update as below:

As you'll see adding the +ip4:8.8.8.8 would allow a server with 8.8.8.8 to send mail for the domain.

yourdomain.com.    IN TXT "v=spf1 a mx +ip4:8.8.8.8 +all"

 

Set permissions to be sure:

chown -R opendkim.opendkim /etc/opendkim

5.) Enable OpenDKIM milter in Postfix

# edit /etc/postfix/main.cf
cp -a /etc/postfix/main.cf /etc/postfix/main.cf-`date +%Y%m%d-%s`
 

#edit /etc/postfix/main.cf

#enable dkim
smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept

systemctl restart postfix

 *Remember to restart opendkim after adding any new domain or the change will not be applied and e-mails will not be signed.

 

 

 

 
 

 

 


Tags:

configure, opendkim, linux, postfix, bind, zonefilethis, assumes, server, dkim, dns, install, apt, systemctl, enable, edit, etc, conf, syslog, syslogsuccess, mode, sv, omitheaders, socket, inet, localhost, domain, yourdomain, keytable, signingtable, refile, externalignorelist, trustedhosts, internalhosts, userid, mkdir, genkey, quot, default, selector, _domainkey, allows, mails, previous, zonefile, yourname, entry, txt, output, rsa, email, blablabla, _dmarc, dmarc, quarantine, rua, mailto, someaddress, permissions, chown, milter, cf, cp, smtpd_milters, non_smtpd_milters, milter_default_action, restart,

Latest Articles

  • python mysql install error: /bin/sh: 1: mysql_config: not found /bin/sh: 1: mariadb_config: not found /bin/sh: 1: mysql_config: not found mysql_config --version
  • FreePBX 17 How To Add a Trunk
  • Docker Container Onboot Policy - How to make sure a container is always running
  • FreePBX 17 How To Add Phones / Extensions and Register
  • Warning: The driver descriptor says the physical block size is 2048 bytes, but Linux says it is 512 bytes. solution
  • Cisco How To Use a Third Party SIP Phone (eg. Avaya, 3CX)
  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX 17 in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide