Configure OpenDKIM with Postfix
Configure OpenDKIM with Postfix
by Jeff on December 12th, 2016 No Comments »
 , ,

This article outlines the process that I use to configure OpenDKIM with Postfix. I will be using CentOS 7 for this article and assume that nothing has been installed on the OS.

Install the EPEL Repository
In order to configure OpenDKIM with Postfix, we must first install OpenDKIM. OpenDKIM is exposed to yum through the Epel repository. You can install Epel through yum by performing the following

[root@smtp]# yum install epel-release -y

Install OpenDKIM
Now that the Epel repository is installed, we can install OpenDKIM

[root@smtp]# yum install opendkim opendkim-tools -y 

Generate OpenDKIM Keys
Before we can configure OpenDKIM with Postfix, we must generate an OpenDKIM Key that will be referenced in our Postfix config and added to our public DNS provider. While creating our DKIM key, we will specify our selector name. The Selector will be used when creating our DNS record, If you are going to run different mail services, each with their own DKIM key, then you want to use a unique selector here. For this example, I’ll be using the selector sel01 and the domain Replace with your domain and replace sel01 with your selector name. I will also be dumping my keys to a custom directory – /etc/opendkim/keys/

[root@smtp]# mkdir /etc/opendkim/keys/
[root@smtp]# chown -R root:opendkim /etc/opendkim/keys/
[root@smtp]# opendkim-genkey -D /etc/opendkim/keys/ -d -s sel01
[root@smtp]# chmod 640 /etc/opendkim/keys/
[root@smtp]# chmod 644 /etc/opendkim/keys/

Configure OpenDKIM to use our new Key
Before we can configure OpenDKIM with Postfix, we must tell OpenDKIM where to find our keys. This is done through the OpenDKIM configuration file under /etc/opendkim.conf. Make a backup of this file then open it with your favorite editor, I prefer VI.

[root@smtp]# cp /etc/opendkim.conf /etc/opendkim.conf.orig
[root@smtp]# vi /etc/opendkim.conf

Uncomment the following files
KeyTable, SigningTable, ExternalIgnoreList and InternalHosts.

Comment out the following lines by added a # at the beginning
Domain to #Domain
Selector to #Selector
KeyFile to #KeyFile

Then save and quit by pressing ESC+:+wq then enter

Now that we uncommented those lines, we need to modify the files to include our key location per domain.

First, we’ll add our reference to the KeyTable file. KeyTable tells OpenDKIM which key and selector to use for a given domain. Issue the following command, replacing sel01 with your selector name and with your domain name.

[root@smtp]# echo "" >> /etc/opendkim/KeyTable

Next we’ll configure the SigningTable file which tells OpenDKIM which keys to use for different addresses. You could have different keys for different users, or one key per domain (recommended). Issue the following command, replacing sel01 with your selector name and with your domain name.

[root@smtp]# echo "*" >> /etc/opendkim/SigningTable

Finally, we’ll configure our TrustedHosts file. This file is a list of hosts or networks that OpenDKIM will trust and sign mail for. At a minimum, you will need to enter (local server), along with any host that will use this server as an email relay. You may enter a single IP Address, a Domain Name, or a CIDR network address. Since the localhost IP is already configured, you can leave this file as is, unless you are relaying mail from other devices. If so, edit the file with your favorite text editor and add the address.

[root@smtp]# vi /etc/opendkim/TrustedHosts

Configure OpenDKIM with Postfix
Finally, let’s configure OpenDKIM with Postfix. Let’s start by letting Postfix know about DKIM and how to connect to the service. We’re going to add 3 lines to the configuration files.

[root@smtp]# echo "smtpd_milters          = inet:" >> /etc/postfix/
[root@smtp]# echo "non_smtpd_milters      = \$smtpd_milters" >> /etc/postfix/
[root@smtp]# echo "milter_default_action  = access" >> /etc/postfix/

Start our Services
Now that we have finally configured OpenDKIM, generated keys, referenced the keys and referenced OpenDKIM in Postfix, it’s finally time to restart some services. I’m using CentOS 7 so I’ll call systemd

[root@smtp]# systemctl start opendkim
[root@smtp]# systemctl enable opendkim
[root@smtp]# systemctl restart postfix

If you are using CentOS < 7, then use the following commands

[root@smtp]# service opendkim start
[root@smtp]# chkconfig opendkim on
[root@smtp]# service postfix restart

Add DNS Records
Since DKIM Keys are validated against DNS records, you will need to create the matching selector A record. Copy the text between the ( and ) in the output of the following command. Remember to replace sel01 with your selector and with your domain.

[root@smtp]# cat /etc/opendkim/keys/

Your output should like similar to this

sel01._domainkey        IN      TXT     ( "v=DKIM1; k=rsa; "        "p=MIGgMA0GCSqGSqb3DQEBAQUA34GNADCBiQKqgQDUXujeEO5JOHTk7TX81g8Pu5pKTFdbDa3Y9DAbMwY+AAQVdfcwGAf1qyn4JKr7VT2gOXWLGCPRwPtLI+7mTmNo6tntU305isQ26UExbHRmhw1/pwqbRkOz0Kd5pjnbP2cFJPoLRgQyqjK0+5pE5TX3QlmEHHlgSt1JHJyXM4wtnwIDAQAB" )  ; ----- DKIM key sel01 for

You’ll want to copy and format the text to be on one line and remove additional quotes. So your value should look like this

"v=DKIM1; k=rsa;   p=MIGgMA0GCSqGSqb3DQEBAQUA34GNADCBiQKqgQDUXujeEO5JOHTk7TX81g8Pu5pKTFdbDa3Y9DAbMwY+AAQVdfcwGAf1qyn4JKr7VT2gOXWLGCPRwPtLI+7mTmNo6tntU305isQ26UExbHRmhw1/pwqbRkOz0Kd5pjnbP2cFJPoLRgQyqjK0+5pE5TX3QlmEHHlgSt1JHJyXM4wtnwIDAQAB"

Head on over to your DNS provider and create a new TXT record with the following
Host/Hostname: sel01._domainkey
Value: Key from above with no line breaks or extra quotes
TTL/Expire/Time to Live: The lowest setting for now.

Validate your Key
Wait 10 minute or so after you modify your DNS before proceeding. Also, ensure you have the lowest TTL setting available during testing. Anything less than 1 minute will suffice.

Use this tool – to generate a random email address that you can send to. The server will receive your message and validate your SPF records and Domain Keys. If there is an issue with your key or DNS records, make the appropriate changes then try again. Once everything is passing, change your TTL on the domainkeys record to something a little higher, like a day.