Short tutorial how to install and configure OpenDKIM with Postfix on Debian Wheezy. OpenDKIM is really useful for signing your mail messages by generated pair of private key which is afterwards validated by public key stored as TXT DNS record for lookup by other servers. In result, If you want avoid your sent messages to be marked as spam, follow this easy tutorial. This will help other mail servers to trust your mail server.
I assume you have properly installed and configured postfix.
aptitude install opendkim opendkim-tools vi /etc/opendkim.conf
At the end of the file add:
KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts LogWhy yes
mkdir -p /etc/opendkim/keys vi /etc/opendkim/TrustedHosts
127.0.0.1 localhost 123.123.123.123 *.example.com
Replace 123.123.123.123 by your mail server IP Address.
vi /etc/default/opendkim
# Command-line options specified here will override the contents of # /etc/opendkim.conf. See opendkim(8) for a complete list of options. #DAEMON_OPTS="" # # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in opendkim.conf #SOCKET="local:/var/run/opendkim/opendkim.sock" # default #SOCKET="inet:54321" # listen on all interfaces on port 54321 SOCKET="inet:12345@localhost" # listen on loopback on port 12345 #SOCKET="inet:[email protected]" # listen on 192.0.2.1 on port 12345
Uncomment SOCKET=”inet:12345@localhost”.
vi /etc/postfix/main.cf
At the end of the file add:
# DKIM Support milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:12345 non_smtpd_milters = inet:localhost:12345
If you want to add domain with DKIM support, do always these steps:
mkdir -p /etc/opendkim/keys/example.com cd /etc/opendkim/keys/example.com opendkim-genkey -r -d example.com chown opendkim:opendkim default.private vi /etc/opendkim/KeyTable
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private
vi /etc/opendkim/SigningTable
*example.com default._domainkey.example.com
service opendkim restart service postfix restart cat /etc/opendkim/keys/example.com/default.txt
Add Output of cat to your DNS server as TXT record, sample output should look like this:
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQU99842ADCBiQKBgQDDQ1aB402QY0skKABxWsuLzWlYhq8hlSKPAX7h5se+5XchSUVS2TBU31K0ZzzlX7TAVToWsOpX736JdDgUpJ516v9fBjvwR6PF1rpQr+TlwYGzXghgKNBMVwarcFGmTANpv38c8TO5ZbjVgkNQQzfWHafKSpvpc9mTWSMjYNQsOwIDAQAB" ; ----- DKIM key default for example.com
Here is how it should look in Bind:
default._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqG..................WSMjYNQsOwIDAQAB"
If you add DNS records through provider web app :
Domain: default._domainkey.example.com Type: TXT Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqG..................WSMjYNQsOwIDAQAB
For debugging you can watch syslog or postfix mail.log if OpenDKIM throw any error messages, for example badly configured SigningTable.
I also recommend you setup SPF records for more trusted mail server, it’s just one additional DNS TXT record. There is simple wizard which will guide you how to genereate TXT record: http://www.spfwizard.net/