February 2012
« Jan   Mar »

OpenDKIM : Configuring DKIM keys on Postfix

This is a email technology which signs each of your emails send through your SMTP. This signing process would help to identify genuinity of your emails since it was easy to verify by your receiver SMTP to have a valid DKIM check before classifying your mail either spam,phishing or impersonated one etc.

How DKIM key works

You SMTP server will attach a special header each of your email which is encrypted by a private key stored on the server and send it along with email. Once the email is reached at the other trusted/secured smtp server, they will

a. Identify the signing in the mail header.
b. Reading the domain key, domain name mentioned in the mail header

ie (DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;s=default; t=1329441832;) You will see the above entry in original source of DKIM singed emails.

c. Then the receiver SMTP server looking for the DNS entry associated with the signed email ( here
d. Once the nslookup can found the DNS txt entry ( here default, ie default._domainkey ), they fetch the public key which can able to decrypt the keys in email header.

ie Those emails are correctly originated from the actual sender. So it’s a trusted mail and all of your domains emails get’s white listed in other’s third party SMTP servers and hence drop it in your INBOX finally 🙂

How do I install openDKIM

If you are using CentOS 6 or higher version, you may install OpenDKIM easily over yum by installing the respective EPEL repo from here. (See the last OS repository release rpms like for CenOS6

If you are using Amazon EC2 cloud, you can simply enabled by editing the file /etc/yum.repos.d/epel.repo and change the value of enabled to be one (enabled=1) and then execute the command yum install opendkim website has an excellent tutorials and I adopted his guild lines. But got stuck at few attempts initially and has got it worked at the end.

Here we go,

1. Install openDKIM rpm package from EPEL repositories (

choose the correct build for your OS architecture.

 # rpm -ivh epel-release-5-4.noarch.rpm
 #yum clean all
 #yum install opendkim

2. Generate Singing Keys
create a folder storing keys for my domain

#mkdir /etc/opendkim/keys/
   #/usr/bin/opendkim-genkey -D /etc/opendkim/keys/ -d -s default

Above command wil create two files under our domain folder as default.private and default.txt

Renaming default.private to default,

#chown -R opendkim:opendkim /etc/opendkim/keys/
#cp /etc/opendkim/keys/ /etc/opendkim/keys/

3. Configuration files of OpenDKIM

1. /etc/opendkim.conf – OpenDKIM’s main configuration file
2. /etc/opendkim/KeyTable – a list of keys available for signing
3. /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
4. /etc/init.d/opendkim — Service start up file.

4. Update the etc/opendkim.conf file
Now you need to edit the main config. file (etc/opendkim.conf) and update/un comment the few lines.

my file should look like this. You may need to edit the “KeyFile” to set correct path

PidFile /var/run/opendkim/
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
Canonicalization        relaxed/simple
Selector        default
KeyFile /etc/opendkim/keys/
KeyTable        /etc/opendkim/KeyTable
SigningTable    /etc/opendkim/SigningTable

5. update the /etc/opendkim/KeyTable file

You may need to add you domain key name and private key file path of the domain in this file. My file looks like as shown below,

-sh-3.2# cat /etc/opendkim/KeyTable
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

you may use the same private key for multiple domain. It’s just like a domain- key mapping.

6. Update /etc/opendkim/SigningTable
This file is actually mapping domain names to a key file. On my setup my server is hosting 4 email domains and I want to use same signing certificate for all domains. File entry should look like this,

 #cat /etc/opendkim/SigningTable

Pls not I uses same domain key for all other domain. So that you will get an entry in email source “signed by”

See the mail below,

7.Check the ” /etc/opendkim/TrustedHosts” has loopback IP

-sh-3.2# cat  /etc/opendkim/TrustedHosts
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP ( should be the first entry in this file.

8. Edit postfix main configuration file
You need to open the postfix config file (/etc/postfix/ and add the following lines at the bottom of the file.

smtpd_milters           = inet:
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol   = 2

9. Restart the opendkim and postfix service.

 -sh-3.2# service opendkim restart
Stopping OpenDKIM Milter:                                  [  OK  ]
Starting OpenDKIM Milter:                                  [  OK  ]
-sh-3.2# service postfix restart
stopping the Postfix mail system                           [  OK  ]
starting the Postfix mail system                            [  OK  ]
#chkconfig postfix on

Ensure that OpenDKIM logs has written on mail log file. This is the only file where you ca see any issue with the opendkim errors.

# tail -f /var/log/maillog
Feb 17 13:39:47 host opendkim[970]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/

10. Update the DNS records

This is the final part. You need to add a text entry “default._domainkey”. You will get the text value from the file “/etc/opendkim/keys/”

-sh-3.2# cat /etc/opendkim/keys/
default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3 EBAQUAA4GNADWw1fqTtobJHsQsJ/49XRJ7eK49MUAkhLB9zcwusSfvrWutvqWT4iWM979    YOAt/d4ZVtFn7Dio6rUiLp103TfJh3g0694jJAOQU0sb4VM/NHgCIknQ/cvLG/snGL/aI7YIkSH1bI0YTYayewIDAQAB" ; ----- DKIM default for

Copy all the value in between double quotes (starts from after TXT”). My Godaddy domain manager look likes as below after adding,

You should also add another TXT Record to your zone file IN TXT “dkim=unknown”

There is not standardization to use the name “default” domain key. We can change it whatever we wish to use.
Don’t forget to add SPF record for your domain

imp : Don’t forget to set SPF record that may boost the email delivery.

Verifying whether Postfix sending signed emails,

I uses a test mail send from command line.

#echo " This is a test mail " | mail -s "OpenDKIM test mail"

If everything goes well you see a messages “DKIM-Singnature header added” in mail log.

#tail -f /var/log/messages
Feb 17 14:12:52 host postfix/pickup[32549]: A5B56F717AC: uid=0 from=<root>
Feb 17 14:12:52 host postfix/cleanup[4092]: A5B56F717AC: message-id=<>
Feb 17 14:12:52 host opendkim[970]: A5B56F717AC: DKIM-Signature header added (s=default,

It’s shows you have a trusted smtp server in place which may helpful to send bulk mails 😉 ..

For better trouble shooting restart opendkim service first then postfix and also check the mail server log to get detailed report.

18 comments to OpenDKIM : Configuring DKIM keys on Postfix

  • disassembler

    Great post, very helpful. Thank you!

  • Tommix

    THE MOST complete tut i found! Really nice. Caus ein other tuts nobody even mentions to add TXT record to DNS!

  • Nishant

    Really useful article. request you that if possible post complete mail server setup tutorial.

    Thanks & Regards

  • rodrigo

    Many thanks for this!

  • Great post, very sample. Thanks!

  • Jim G

    warning: connect to Milter service inet: Connection refused

    Checked permissions and they are good. Any clues?


  • Hi – I am running a VPS with CENTOS 6.4 using QMAIL. Will these instructions work? If not, how can I implement DKIM with QMAIL? Thanks!

  • Hi,

    I did step by step as instruction and installation was perfect. But the last step #tail -f /var/log/messages shows me something different. Also email header does not show dkim signature. my keys shows something like this..could you please help me.

    default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
    “p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6+OxDB63NfoYxB70bzoKlCXI+Ec22hEDvTmDFWdNRvxHRIYb631iatGm6lECkv1fqbne8MCyOtJ8x5j0IWXKcioKg1LkFBBFUEqM/ZlJjefr80fWACHHbCrIB1ptLp+Weuhnz1d3/ZTtcAiZezNmTGPFs+NTv6fmx76hjNsmWEQIDAQAB” ) ;

    • Hello Bhavik

      It’s not /var/log/messages.

      You may look at the last entries of /var/log/maillog. You will get the exact error messages. You may see “header added” text if everything is working correctly.

      The SingingTable needed to be adjusted according to the domain name you used to send emails.

      best luck

  • chris

    great article, but have a quick question…. OpenDKIM is up and functioning properly on my domain. I added an additional Majordomo/Sendmail server to the mix but emails that are passed through my mail/opendkim server from this new server are not getting the DomainKey Signature added and thus failing on the outside. It seems that it only happens when emails are sent internally to this maillist server and then re-routed back out through our mailserver. Mailx emails from the new maillist server are signed with no issue. Is there any sort of setting that you know of that would cause this? It is possible that the emails, when reaching the opendkim mailserver to be sent out already have a domainkey signature in the header and could be causing the issue… but i can’t find how to strip out or manipulate the headers before sending to ensure that the mailserver signs them properly. I have other maillist servers doing this with no issue, so i was curious if there was anything you could think of that would effect this one server.

    thanks and keep up the good work

    • Hello Chris

      I think you are using new emaillist server configured as relay server for other domains too. If you want to enable Domain key signing for other domain, you may add those entries in SigningTable. An example is shown below

      #cat /etc/opendkim/SigningTable

      Best Regrds

  • hytham

    Jan 3 16:15:46 server2 postfix/cleanup[899]: warning: connect to Milter service inet: Connection timed out

    • Service opendkim restart

      ensure that port is listening on 8891 ( the port which is suppose to be run)

      #netstat -nlp | grep “:8891”

    • Hi,
      I have a similar problem running opendkim with sendmail.
      Mail log contains: “Milter (opendkim): error connecting to filter: Connection refused by”

      netstat -nlp | grep “:8891″ returns nothing. includes: INPUT_MAIL_FILTER(`opendkim’, `S=inet:8891@′)

      Any ideas?

  • omer

    when i installed repository and try : yum install opendkim i get this error

    –> Processing Dependency: for package: unbound-libs-1.4.20-2.el5.x86_64
    –> Running transaction check
    —> Package ldns.x86_64 0:1.6.16-1.el5 will be installed
    –> Processing Dependency: for package: ldns-1.6.16-1.el5.x86_64
    —> Package unbound-libs.x86_64 0:1.4.20-2.el5 will be installed
    –> Processing Dependency: for package: unbound-libs-1.4.20-2.el5.x86_64
    –> Finished Dependency Resolution
    Error: Package: unbound-libs-1.4.20-2.el5.x86_64 (epel)
    Error: Package: ldns-1.6.16-1.el5.x86_64 (epel)
    You could try using –skip-broken to work around the problem
    You could try running: rpm -Va –nofiles –nodigest

  • follow all the step but i get this error
    [root@mail ~]# opendkim-testkey -vvv -d
    opendkim-testkey: using default configfile /etc/opendkim.conf
    opendkim-testkey: key loaded from /etc/opendkim/keys/
    opendkim-testkey: checking key ‘’
    opendkim-testkey: multiple DNS replies for ‘’

  • Simran

    Hello i want to replace default to m1 can it is possible?
    If yes so Please tell me what changes would i have to do.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>