This is a email technology which signs each of your emails send through your SMTP. This signing process would help to identify genuinity of your emails since it was easy to verify by your receiver SMTP to have a valid DKIM check before classifying your mail either spam,phishing or impersonated one etc.
How DKIM key works
You SMTP server will attach a special header each of your email which is encrypted by a private key stored on the server and send it along with email. Once the email is reached at the other trusted/secured smtp server, they will
a. Identify the signing in the mail header.
b. Reading the domain key, domain name mentioned in the mail header
ie (DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.com;s=default; t=1329441832;) You will see the above entry in original source of DKIM singed emails.
c. Then the receiver SMTP server looking for the DNS entry associated with the signed email ( here mydomain.com)
d. Once the nslookup can found the DNS txt entry ( here default, ie default._domainkey ), they fetch the public key which can able to decrypt the keys in email header.
ie Those emails are correctly originated from the actual sender. So it’s a trusted mail and all of your domains emails get’s white listed in other’s third party SMTP servers and hence drop it in your INBOX finally
How do I install openDKIM
If you are using CentOS 6 or higher version, you may install OpenDKIM easily over yum by installing the respective EPEL repo from here. http://dl.fedoraproject.org/pub/epel/ (See the last OS repository release rpms like for CenOS6 http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
If you are using Amazon EC2 cloud, you can simply enabled by editing the file /etc/yum.repos.d/epel.repo and change the value of enabled to be one (enabled=1) and then execute the command yum install opendkim
stevejenkins.com website has an excellent tutorials and I adopted his guild lines. But got stuck at few attempts initially and has got it worked at the end.
Here we go,
1. Install openDKIM rpm package from EPEL repositories (http://fedoraproject.org/wiki/EPEL).
choose the correct build for your OS architecture.
# rpm -ivh epel-release-5-4.noarch.rpm
#yum clean all
#yum install opendkim
2. Generate Singing Keys
create a folder storing keys for my domain
#/usr/bin/opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
Above command wil create two files under our domain folder as default.private and default.txt
Renaming default.private to default,
#chown -R opendkim:opendkim /etc/opendkim/keys/mydomain.com
#cp /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default
3. Configuration files of OpenDKIM
1. /etc/opendkim.conf – OpenDKIM’s main configuration file
2. /etc/opendkim/KeyTable – a list of keys available for signing
3. /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
4. /etc/init.d/opendkim — Service start up file.
4. Update the etc/opendkim.conf file
Now you need to edit the main config. file (etc/opendkim.conf) and update/un comment the few lines.
my file should look like this. You may need to edit the “KeyFile” to set correct path
5. update the /etc/opendkim/KeyTable file
You may need to add you domain key name and private key file path of the domain in this file. My file looks like as shown below,
-sh-3.2# cat /etc/opendkim/KeyTable
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
you may use the same private key for multiple domain. It’s just like a domain- key mapping.
6. Update /etc/opendkim/SigningTable
This file is actually mapping domain names to a key file. On my setup my server is hosting 4 email domains and I want to use same signing certificate for all domains. File entry should look like this,
Pls not I uses same domain key for all other domain. So that you will get an entry in email source “signed by mydomain.com”
See the mail below,
7.Check the ” /etc/opendkim/TrustedHosts” has loopback IP
-sh-3.2# cat /etc/opendkim/TrustedHosts
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
8. Edit postfix main configuration file
You need to open the postfix config file (/etc/postfix/main.cf) and add the following lines at the bottom of the file.
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
9. Restart the opendkim and postfix service.
-sh-3.2# service opendkim restart
Stopping OpenDKIM Milter: [ OK ]
Starting OpenDKIM Milter: [ OK ]
-sh-3.2# service postfix restart
stopping the Postfix mail system [ OK ]
starting the Postfix mail system [ OK ]
#chkconfig postfix on
Ensure that OpenDKIM logs has written on mail log file. This is the only file where you ca see any issue with the opendkim errors.
# tail -f /var/log/maillog
Feb 17 13:39:47 host opendkim: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)
10. Update the DNS records
This is the final part. You need to add a text entry “default._domainkey”. You will get the text value from the file “/etc/opendkim/keys/mydomain.com/default.txt”
-sh-3.2# cat /etc/opendkim/keys/mydomain.com/default.txt
default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3 EBAQUAA4GNADWw1fqTtobJHsQsJ/49XRJ7eK49MUAkhLB9zcwusSfvrWutvqWT4iWM979 YOAt/d4ZVtFn7Dio6rUiLp103TfJh3g0694jJAOQU0sb4VM/NHgCIknQ/cvLG/snGL/aI7YIkSH1bI0YTYayewIDAQAB" ; ----- DKIM default for mydomain.com
Copy all the value in between double quotes (starts from after TXT”). My Godaddy domain manager look likes as below after adding,
You should also add another TXT Record to your zone file
_adsp._domainkey.mydomain.com IN TXT “dkim=unknown”
There is not standardization to use the name “default” domain key. We can change it whatever we wish to use.
Don’t forget to add SPF record for your domain
imp : Don’t forget to set SPF record that may boost the email delivery.
Verifying whether Postfix sending signed emails,
I uses a test mail send from command line.
#echo " This is a test mail " | mail -s "OpenDKIM test mail" firstname.lastname@example.org
If everything goes well you see a messages “DKIM-Singnature header added” in mail log.
#tail -f /var/log/messages
Feb 17 14:12:52 host postfix/pickup: A5B56F717AC: uid=0 from=
Feb 17 14:12:52 host postfix/cleanup: A5B56F717AC: message-id=<20120217191252.A5B56F717AC@mail.mydomain.com>
Feb 17 14:12:52 host opendkim: A5B56F717AC: DKIM-Signature header added (s=default, d=mydomain.com)
It’s shows you have a trusted smtp server in place which may helpful to send bulk mails ..
For better trouble shooting restart opendkim service first then postfix and also check the mail server log to get detailed report.