Setup DKIM on Centos 7 server running Postfix
The DKIM (Domain Keys Identified Mail) is an email-signing method that utilizes two keys: one private and one public.
DKIM is applied by the mail server of the email recipient in order to verify the authenticity of the sender, and thus to reduce spam.
The workflow of DKIM is rather simple:
Upon setup at the mail server, we create one private and one public key. The public key is then copied to the zone file of our domain in the form of a TXT record. The private key -as the name implies- resides at the mail server in a private folder.
When a user sends an email, this message is signed by the mail agent (ie Postfix) according to the private key. This digital signature is attached to the headers of the email. Finally, the server of the recipient reads that signature and compares it to the public key (which is found in the domain's zone file). If keys and signature match, the message is considered legitimate and is moved to recipient's inbox.
In the following tutorial I will try to explain in 7 simple tasks how to implement DKIM signature in your mail server.
For simplicity purposes, lets assume that you are running RedHat CentOS 7 mail server, Postfix is already up and running, and that our domain name is "domain.com".
Task 1: Install OpenDKIM
For this task make sure you have installed and enabled the EPEL repository
# yum install opendkim
Task 2: Generate keys
# mkdir -p /etc/opendkim/keys/domain.com
# cd /etc/opendkim/keys/domain.com
# opendkim-genkey -r -d domain.com
Task 3: Set the right permissions
# chown -R opendkim:opendkim /etc/opendkim
# chmod go-rw /etc/opendkim/keys
Task 4: OpenDKIM configuration
# vi /etc/opendkim.conf
Make sure that the below parameters are as described
#KeyFile /etc/opendkim/keys/default.private ### comment this line
Now edit the domain keys lists setting file:
# vi /etc/opendkim/KeyTable
and add the following line:
Next, edit the signing table file
# vi /etc/opendkim/SigningTable
and make sure the following line appears:
Finally, edit the trusted hosts file
# vi /etc/opendkim/TrustedHosts
and add the hostnames that are permitted to send mail on behalf of your domain:
Task 5: Postfix configuration
Now open the main configuration file of Postfix:
# vi /etc/postfix/main.cf
and add these lines at the end of the file:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
Task 6: Start and enable the new service
We need to start OpenDKIM, make sure it starts automatically on boot, and finally restart Postfix
# service opendkim start
# chkconfig opendkim on
# service postfix restart
Task 7: Configure DNS zone file
Get the contents of file default.txt
# cat /etc/opendkim/keys/domain.com/default.txt
You will get an output similar to that one:
default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdTtEqM8FqndiFYOderzljMMMqBdEp+wJKP+VUbhc9GigmK34ZjrSqqdKjIEWr2q9DvSVp1H1bZs4t050m0HZxJqknDz2yoDJ6W4mCaSCHesRde5V44V/L65Gqm/rvBz1d6CCp8A2515eveWrIAocOD6pKJ4tnXHz3uwV2ZtgQiQIDAQAB" ) ; ----- DKIM key default for domain.com
Mark and copy the contents of your file.
Next at your DNS server open your domain's zone file, and paste the copied content at the very end of it.
If necessary, restart the DNS service.
That's it. You are now running the DKIM service!
IMPORTANT: In case you serve multiple domains
If your server is shared between more that one domain names, repeat tasks 2 and 3 for each one of your domains.
Then edit the KeyTable and SigningTable to complete the procedure.
and for each one of your domains add a line as per example:
here too, for each one of your domains, add a line as shown below:
Last but not least, for every domain repeat Task 7 and at the end, don't forget to restart the services!
Optional task: Verify the service
In case you are wondering, you can verify the proper operation of your new DKIM installation by visiting:
Or you can just send an email to: firstname.lastname@example.org and an automated reply with email status details, will arrive shortly to your Inbox.
It is an excellent mail-deliverability tool and very easy to use.
Just send an email to the specified address (email@example.com -at the time of the writing), type your email address to the corresponding box, and press "Search" to view your results.