Configure OpenDKIM with Postfix on Debian Wheezy

Postfix_logoShort tutorial how to install and configure OpenDKIM with Postfix on Debian Wheezy. OpenDKIM is really useful for signing your mail messages by generated pair of private key which is afterwards validated by public key stored as TXT DNS record for lookup by other servers. In result, If you want avoid your sent messages to be marked as spam, follow this easy tutorial. This will help other mail servers to trust your mail server.

I assume you have properly installed and configured postfix.

aptitude install opendkim opendkim-tools
vi /etc/opendkim.conf

At the end of the file add:

KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
LogWhy yes
mkdir -p /etc/opendkim/keys
vi /etc/opendkim/TrustedHosts
127.0.0.1
localhost
123.123.123.123
*.example.com

Replace 123.123.123.123 by your mail server IP Address.

vi /etc/default/opendkim
# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
#SOCKET="local:/var/run/opendkim/opendkim.sock" # default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
SOCKET="inet:12345@localhost" # listen on loopback on port 12345
#SOCKET="inet:[email protected]" # listen on 192.0.2.1 on port 12345

Uncomment SOCKET=”inet:12345@localhost”.

vi /etc/postfix/main.cf

At the end of the file add:

# DKIM Support
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

 If you want to add domain with DKIM support, do always these steps:

mkdir -p /etc/opendkim/keys/example.com
cd /etc/opendkim/keys/example.com
opendkim-genkey -r -d example.com
chown opendkim:opendkim default.private
vi /etc/opendkim/KeyTable
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private
vi /etc/opendkim/SigningTable
*example.com default._domainkey.example.com
service opendkim restart
service postfix restart
cat /etc/opendkim/keys/example.com/default.txt

 Add Output of cat to your DNS server as TXT record, sample output should look like this:

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQU99842ADCBiQKBgQDDQ1aB402QY0skKABxWsuLzWlYhq8hlSKPAX7h5se+5XchSUVS2TBU31K0ZzzlX7TAVToWsOpX736JdDgUpJ516v9fBjvwR6PF1rpQr+TlwYGzXghgKNBMVwarcFGmTANpv38c8TO5ZbjVgkNQQzfWHafKSpvpc9mTWSMjYNQsOwIDAQAB" ; ----- DKIM key default for example.com

Here is how it should look in Bind:

default._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqG..................WSMjYNQsOwIDAQAB"

If you add DNS records through provider web app :

Domain: default._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqG..................WSMjYNQsOwIDAQAB

For debugging you can watch syslog or postfix mail.log if OpenDKIM throw any error messages, for example badly configured SigningTable.

I also recommend you setup SPF records for more trusted mail server, it’s just one additional DNS TXT record. There is simple wizard which will guide you how to genereate TXT record: http://www.spfwizard.net/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.