How to configure OpenDKIM on Linux with Postfix and setup bind zonefile
This guide assumes you have a working Postfix server and want it to sign with DKIM.
There are a few things we have to understand to make all of this work though, which require you to be familiar with DNS as well.
1.) Install OpenDKIM
apt install opendkim
systemctl enable opendkim
2.) Edit /etc/opendkim.conf
Syslog yes
SyslogSuccess yes
Mode sv
OmitHeaders .
Socket inet:8891@localhost
Domain yourdomain.com
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
UserID opendkim:opendkim
3.) Create your first OpenDKIM Key for your domain
yourdomain=yourdomain.com
mkdir -p /etc/opendkim/keys/$yourdomain
cd /etc/opendkim/keys/$yourdomain
opendkim-genkey -r -d $yourdomain
4.) Configure KeyTable and SigningTable
#Add this line to /etc/opendkim/KeyTable
The "default" is what is called the selector, it could be nearly anything but we're calling it default here. Be sure to change "yourdomain.com" to the actual domain you want DKIM signing for.
default._domainkey.yourdomain.com yourdomain.com:default:/etc/opendkim/keys/yourdomain.com/default.private
#Add this to line to /etc/opendkim/SigningTable
*@yourdomain.com default._domainkey.yourdomain.com
The * allows all e-mails from the domain to be signed, change it if this should not be the case.
Again, be sure you change yourdomain.com to your actual domain that you setup in the KeyTable in the previous step.
*Remember to restart opendkim after adding any new domain or the change will not be applied and e-mails will not be signed.
5.) Edit your Your DNS zonefile for yourname.com
Here's an example using bind/named:
#edit bind/named DNS entry for domain/zone
cat /etc/opendkim/keys/yourdomain.com/default.txt
Take the output of the above and then add it to your zonefile like below:
default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=blablabla" ) ; ----- DKIM key default for yourdomain.com
Be sure to change the blablabla to the output of /etc/opendkim/keys/yourdomain.com/default.txt
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:someaddress@yourdomain.com"
Be sure to change someaddress@yourdomain.com to a real address for your domain, you will receive DMARC reports to this address.
Make sure your zonefile has a valid SPF record or none of this will work properly.
yourdomain.com. IN TXT "v=spf1 a mx +all"
The above is a quick example of a zonefile entry in bind for SPF, it allows your domain's A record MX record to send mail and doesn't have a hard fail. If for example you need to add another server's IP (perhaps another server needs to send mail for yourdomain.com) then update as below:
As you'll see adding the +ip4:8.8.8.8 would allow a server with 8.8.8.8 to send mail for the domain.
yourdomain.com. IN TXT "v=spf1 a mx +ip4:8.8.8.8 +all"
Set permissions to be sure:
chown -R opendkim.opendkim /etc/opendkim
5.) Enable OpenDKIM milter in Postfix
# edit /etc/postfix/main.cf
cp -a /etc/postfix/main.cf /etc/postfix/main.cf-`date +%Y%m%d-%s`
#edit /etc/postfix/main.cf
#enable dkim
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
systemctl restart postfix
*Remember to restart opendkim after adding any new domain or the change will not be applied and e-mails will not be signed.
Tags:
configure, opendkim, linux, postfix, bind, zonefilethis, assumes, server, dkim, dns, install, apt, systemctl, enable, edit, etc, conf, syslog, syslogsuccess, mode, sv, omitheaders, socket, inet, localhost, domain, yourdomain, keytable, signingtable, refile, externalignorelist, trustedhosts, internalhosts, userid, mkdir, genkey, quot, default, selector, _domainkey, allows, mails, previous, zonefile, yourname, entry, txt, output, rsa, email, blablabla, _dmarc, dmarc, quarantine, rua, mailto, someaddress, permissions, chown, milter, cf, cp, smtpd_milters, non_smtpd_milters, milter_default_action, restart,