You are here: |Blog|Server Administration|Setup Dkim On Centos 7 Server Running Postfix

Setup DKIM on Centos 7 server running Postfix


Server Administration

The DKIM (Domain Keys Identified Mail) is an email-signing method that utilizes two keys: one private and one public.

DKIM is applied by the mail server of the email recipient in order to verify the authenticity of the sender, and thus to reduce spam.

The workflow of DKIM is rather simple:
Upon setup at the mail server, we create one private and one public key. The public key is then copied to the zone file of our domain in the form of a TXT record. The private key -as the name implies- resides at the mail server in a private folder.
When a user sends an email, this message is signed by the mail agent (ie Postfix) according to the private key. This digital signature is attached to the headers of the email. Finally, the server of the recipient reads that signature and compares it to the public key (which is found in the domain's zone file). If keys and signature match, the message is considered legitimate and is moved to recipient's inbox.

In the following tutorial I will try to explain in 7 simple tasks how to implement DKIM signature in your mail server.
For simplicity purposes, lets assume that you are running RedHat CentOS 7 mail server, Postfix is already up and running, and that our domain name is "domain.com".

 

Task 1: Install OpenDKIM

For this task make sure you have installed and enabled the EPEL repository

# yum install opendkim

 

Task 2: Generate keys

# mkdir -p /etc/opendkim/keys/domain.com
# cd /etc/opendkim/keys/domain.com
# opendkim-genkey -r -d domain.com

 

Task 3: Set the right permissions

# chown -R opendkim:opendkim /etc/opendkim
# chmod go-rw /etc/opendkim/keys

 

Task 4: OpenDKIM configuration

# vi /etc/opendkim.conf

Make sure that the below parameters are as described

Mode sv
Socket inet:8891@localhost
Domain domain.com
#KeyFile /etc/opendkim/keys/default.private ### comment this line
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts

Now edit the domain keys lists setting file:

# vi /etc/opendkim/KeyTable

and add the following line:

default._domainkey.domain.com domain.com:default:/etc/opendkim/keys/domain.com/default.private

Next, edit the signing table file

# vi /etc/opendkim/SigningTable

and make sure the following line appears:

*@domain.com default._domainkey.domain.com

Finally, edit the trusted hosts file

# vi /etc/opendkim/TrustedHosts

and add the hostnames that are permitted to send mail on behalf of your domain:

domain.com
mail.domain.com

 

Task 5: Postfix configuration

Now open the main configuration file of Postfix:

# vi /etc/postfix/main.cf

and add these lines at the end of the file:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

 

Task 6: Start and enable the new service

We need to start OpenDKIM, make sure it starts automatically on boot, and finally restart Postfix

# service opendkim start
# chkconfig opendkim on
# service postfix restart

 

Task 7: Configure DNS zone file

Get the contents of file default.txt

# cat /etc/opendkim/keys/domain.com/default.txt

You will get an output similar to that one:

default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdTtEqM8FqndiFYOderzljMMMqBdEp+wJKP+VUbhc9GigmK34ZjrSqqdKjIEWr2q9DvSVp1H1bZs4t050m0HZxJqknDz2yoDJ6W4mCaSCHesRde5V44V/L65Gqm/rvBz1d6CCp8A2515eveWrIAocOD6pKJ4tnXHz3uwV2ZtgQiQIDAQAB" ) ; ----- DKIM key default for domain.com

Mark and copy the contents of your file.

Next at your DNS server open your domain's zone file, and paste the copied content at the very end of it.

If necessary, restart the DNS service.

 

That's it. You are now running the DKIM service!

 

IMPORTANT: In case you serve multiple domains

If your server is shared between more that one domain names, repeat tasks 2 and 3 for each one of your domains.
Then edit the KeyTable and SigningTable to complete the procedure.

vi /etc/opendkim/KeyTable

and for each one of your domains add a line as per example:

default._domainkey.domain1.com domain1.com:default:/etc/opendkim/keys/domain1.com/default.private
default._domainkey.domain2.com domain2.com:default:/etc/opendkim/keys/domain2.com/default.private
default._domainkey.domain3.com domain3.com:default:/etc/opendkim/keys/domain3.com/default.private

and

vi /etc/opendkim/SigningTable

here too, for each one of your domains, add a line as shown below:

*@domain1.com default._domainkey.domain1.com
*@domain2.com default._domainkey.domain2.com
*@domain3.com default._domainkey.domain3.com

Last but not least, for every domain repeat Task 7 and at the end, don't forget to restart the services!

 

Optional task: Verify the service

In case you are wondering, you can verify the proper operation of your new DKIM installation by visiting:

MX Toolbox

Or you can just send an email to: ping@tools.mxtoolbox.com and an automated reply with email status details, will arrive shortly to your Inbox.

It is an excellent mail-deliverability tool and very easy to use.
Just send an email to the specified address (ping@tools.mxtoolbox.com -at the time of the writing), type your email address to the corresponding box, and press "Search" to view your results.

 

 


We will be delighted to hear from you

Why choose us?

Simply because we love creating beautiful websites, and we are damn good at it!

We at ILUS Web love programming!
All kinds of programming... Applications programming, Microcontrollers programming, Websites programming.
And we like to try to approach perfection everytime!

The best thing about a boolean is even if you are wrong, you are only off by one bit.

A beautiful and functional design is very important, as it interacts directly with the end User. And after all, it's the User's experience that we all work for!
Because a happy User, is of the most valuable assets to a business!

If you think good design is expensive, you should look at the cost of bad design.

A Website without S.E.O. is like a ship with broken steering, sailing in stormy weather!
In this day and age, the number of websites is reaching new records every day. Consequently, the competition of every new Site is huge, and the only way to "survive" is a methodical and successful S.E.O.

S.E.O. is what the Search Engines talk about you, when you are not present!
chart