Today we will write a small tutorial on how to implement DomainKeys Identified Mail (DKIM) for the domain example.com.
DKIM is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain.[1] It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam.
So lets start by installing the necessary tools that will be used in implantation and configurations of the DKIM System.
At this point we are imagining you have a fully running mail server, and what you need is to implement DKIM to sign your outgoing mails from your domain or several domains
apt-get install opendkim opendkim-tools
After the successfull installation of the tools, we will add postfix user to the opendkim group to have access to opendkim
adduser postfix opendkim
Then edit the dkims configuration files to match our requirements
Edit the following file
vim /etc/opendkim.conf
and make sure the below lines matches the following settings for our domain example.com
# Sign for example.com with key in /etc/mail/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) Domain example.com KeyFile /etc/postfix/dkim.key Selector dkim SOCKET inet:1234@localhost
The last line on the above configurations “SOCKET inet:1234@localhost should be added to the file /etc/default/opendkim
Edit /etc/default/opendkim and add
SOCKET inet:1234@localhost
at the end of the file write, save and exit the editor
At this point we need to add some lines to postfix main.cf file so that it knows there is opendkim installed and use the settings on it for signing of mails
Edit the file /etc/postfix/main.cf and add the below settings at the end of the file
# -------------------------------------- # DKIM Integrations with MTA # -------------------------------------- # Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2 milter_protocol = 6 milter_default_action = accept smtpd_milters = unix:var/run/opendkim/opendkim.sock non_smtpd_milters = unix:var/run/opendkim/opendkim.sock #smtpd_milters = inet:localhost:1234 #non_smtpd_milters = inet:localhost:1234
Edit the file /etc/postfix/master.cf and append no_milters to the line receive_override_options this is found mostly if your using content filters on your mailserver and it will look like the below mail
#-------------------------------------------------------------------- #Mostly this line will be available in the master.cf file if your using milters like amavis #-------------------------------------------------------------------- -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
After that we are done with the configurations of the openDKIM with postfix, the remaining part is to generate the key and txt file to be included with our domain and dns
Lets Generate the .key and .private files using the opendkim command below
opendkim-genkey -t -s dkim -d example.com # to see the files that has been generated from the above command ls
You will see two files as shown below
dkim.private dkim.txt
Move the dkim.private file to /etc/postfix/ and assign it with the appropriate permision as shown below
mv dkim.private /etc/postfix/dkim.key chmod 660 /etc/postfix/dkim.key chown root:opendkim /etc/postfix/dkim.key
After that, we will need to restart opendkim and postfix service to take effect of the changes we have made
Create the directory and create the file opendkim.sock
mkdir -p /var/spool/postfix/var/run/opendkim touch /var/spool/postfix/var/run/opendkim/opendkim.sock chmod 774 /var/spool/postfix/var/run/opendkim/opendkim.sock chown opendkim:opendkim /var/spool/postfix/var/run/opendkim
Edit /etc/opendkim.conf and add the below line
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock
Edit /etc/default/opendkim comment the default SOCKET and add the below line
SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"
Restart the respective services for the changes to take effect
service opendkim start service postfix restart
The two files which were generated above using the opendkim-genkey commands contains the key and txt content which will be add onto our domain dns forward file
Copy the content on the .txt file and login onto your DNS management interface, if your using command prompt or web Control Pannel, Add the information as TXT on the DNS management
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9rulKo58JIb5h+3MMEnYhlnbuVgRoA4w68R/X7qA2Lfv3RpdrrUb+r7KxemIo6PUIOm6uZ5OymhBgpJ0LAWBHBSJjnFmDXNajSgxMOcvkpgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB" ; ----- DKIM key mail for example.com
Save the changes and give sometimes for the domain changes to take effect on the internet, but still you can try to dig and see what is happennig
dig dkim._domainkey.example.com txt
I hope the above command wont give you a proper feedback, because the domain example.com is just for testing purposes, you can try with a domain that is live like yahoo.com, gmail.com and see what results your getting,
Also if you want to see if your DKIM configuration is done proper and working on fine, I would suggest you send a mail to a Gmail account where they show a pardlock which indicates if the mail was encrypted of not from the sender side.
Many Many thanks and welcome for DKIMing, incase you face any issue, do not hesitate to drop us a comments and we will revert back to you soonest
Troubleshooting link if it wont work with the above basic configurations
