This is a email technology which signs each of your emails send through your SMTP. This signing process would help to identify genuinity of your emails since it was easy to verify by your receiver SMTP to have a valid DKIM check before classifying your mail either spam,phishing or impersonated one etc.
How DKIM key works
You SMTP server will attach a special header each of your email which is encrypted by a private key stored on the server and send it along with email. Once the email is reached at the other trusted/secured smtp server, they will
a. Identify the signing in the mail header.
b. Reading the domain key, domain name mentioned in the mail header
ie (DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.com;s=default; t=1329441832;) You will see the above entry in original source of DKIM singed emails.
c. Then the receiver SMTP server looking for the DNS entry associated with the signed email ( here mydomain.com)
d. Once the nslookup can found the DNS txt entry ( here default, ie default._domainkey ), they fetch the public key which can able to decrypt the keys in email header.
ie Those emails are correctly originated from the actual sender. So it’s a trusted mail and all of your domains emails get’s white listed in other’s third party SMTP servers and hence drop it in your INBOX finally
How do I install openDKIM
stevejenkins.com website has an excellent tutorials and I adopted his guild lines. But got stuck at few attempts initially and has got it worked at the end.
Here we go,
1. Install openDKIM rpm package from EPEL repositories (http://fedoraproject.org/wiki/EPEL).
choose the correct build for your OS architecture.
# rpm -ivh epel-release-5-4.noarch.rpm
#yum clean all
#yum install opendkim
2. Generate Singing Keys
create a folder storing keys for my domain
#/usr/bin/opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
Above command wil create two files under our domain folder as default.private and default.txt
Renaming default.private to default,
#cp /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default
3. Configuration files of OpenDKIM
1. /etc/opendkim.conf – OpenDKIM’s main configuration file
2. /etc/opendkim/KeyTable – a list of keys available for signing
3. /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
4. /etc/init.d/opendkim — Service start up file.
4. Update the etc/opendkim.conf file
Now you need to edit the main config. file (etc/opendkim.conf) and update/un comment the few lines.
my file should look like this. You may need to edit the “KeyFile” to set correct path
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
Canonicalization relaxed/simple
Selector default
KeyFile /etc/opendkim/keys/mydomain.com/default.private
KeyTable /etc/opendkim/KeyTable
SigningTable /etc/opendkim/SigningTable
5. update the /etc/opendkim/KeyTable file
You may need to add you domain key name and private key file path of the domain in this file. My file looks like as shown below,
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default
-sh-3.2#
you may use the same private key for multiple domain. It’s just like a domain- key mapping.
default._domainkey.mydomain1.com mydomain1.com:default:/etc/opendkim/keys/mydomain.com/default.private
default._domainkey.mydomain2.com mydomain2.com:default:/etc/opendkim/keys/mydomain.com/default.private
6. Update /etc/opendkim/SigningTable
This file is actually mapping domain names to a key file. On my setup my server is hosting 4 email domains and I want to use same signing certificate for all domains. File entry should look like this,
domain1.com default._domainkey.mydomain.com
domain3.com default._domainkey.mydomain.com
domain2.com default._domainkey.mydomain.com
Pls not I uses same domain key for all other domain. So that you will get an entry in email source “signed by mydomain.com”
See the mail below,
7.Check the ” /etc/opendkim/TrustedHosts” has loopback IP
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
localhost
8. Edit postfix main configuration file
You need to open the postfix config file (/etc/postfix/main.cf) and add the following lines at the bottom of the file.
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
9. Restart the opendkim and postfix service.
Stopping OpenDKIM Milter: [ OK ]
Starting OpenDKIM Milter: [ OK ]
-sh-3.2# service postfix restart
stopping the Postfix mail system [ OK ]
starting the Postfix mail system [ OK ]
#chkconfig postfix on
Ensure that OpenDKIM logs has written on mail log file. This is the only file where you ca see any issue with the opendkim errors.
Feb 17 13:39:47 host opendkim[970]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)
10. Update the DNS records
This is the final part. You need to add a text entry “default._domainkey”. You will get the text value from the file “/etc/opendkim/keys/mydomain.com/default.txt”
default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3 EBAQUAA4GNADWw1fqTtobJHsQsJ/49XRJ7eK49MUAkhLB9zcwusSfvrWutvqWT4iWM979 YOAt/d4ZVtFn7Dio6rUiLp103TfJh3g0694jJAOQU0sb4VM/NHgCIknQ/cvLG/snGL/aI7YIkSH1bI0YTYayewIDAQAB" ; ----- DKIM default for mydomain.com
Copy all the value in between double quotes (starts from after TXT”). My Godaddy domain manager look likes as below after adding,
You should also add another TXT Record to your zone file
_adsp._domainkey.mydomain.com IN TXT “dkim=unknown”
There is not standardization to use the name “default” domain key. We can change it whatever we wish to use.
Don’t forget to add SPF record for your domain
imp : Don’t forget to set SPF record that may boost the email delivery.
Verifying whether Postfix sending signed emails,
I uses a test mail send from command line.
If everything goes well you see a messages “DKIM-Singnature header added” in mail log.
Feb 17 14:12:52 host postfix/pickup[32549]: A5B56F717AC: uid=0 from=<root>
Feb 17 14:12:52 host postfix/cleanup[4092]: A5B56F717AC: message-id=<20120217191252.A5B56F717AC@mail.mydomain.com>
Feb 17 14:12:52 host opendkim[970]: A5B56F717AC: DKIM-Signature header added (s=default, d=mydomain.com)
It’s shows you have a trusted smtp server in place which may helpful to send bulk mails 
..
For better trouble shooting restart opendkim service first then postfix and also check the mail server log to get detailed report.
Great post, very helpful. Thank you!
THE MOST complete tut i found! Really nice. Caus ein other tuts nobody even mentions to add TXT record to DNS!
Really useful article. request you that if possible post complete mail server setup tutorial.
Thanks & Regards
Many thanks for this!
Great post, very sample. Thanks!
Error:
warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Checked permissions and they are good. Any clues?
Jim
Hi – I am running a VPS with CENTOS 6.4 using QMAIL. Will these instructions work? If not, how can I implement DKIM with QMAIL? Thanks!
I haven’t tried it for the qmail. But think it would be worked since opendkim installation a standard one.
~liju
Hi,
I did step by step as instruction and installation was perfect. But the last step #tail -f /var/log/messages shows me something different. Also email header does not show dkim signature. my keys shows something like this..could you please help me.
default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6+OxDB63NfoYxB70bzoKlCXI+Ec22hEDvTmDFWdNRvxHRIYb631iatGm6lECkv1fqbne8MCyOtJ8x5j0IWXKcioKg1LkFBBFUEqM/ZlJjefr80fWACHHbCrIB1ptLp+Weuhnz1d3/ZTtcAiZezNmTGPFs+NTv6fmx76hjNsmWEQIDAQAB” ) ;
Hello Bhavik
It’s not /var/log/messages.
You may look at the last entries of /var/log/maillog. You will get the exact error messages. You may see “header added” text if everything is working correctly.
The SingingTable needed to be adjusted according to the domain name you used to send emails.
best luck
~liju