Today we will write a small tutorial on how to implement DomainKeys Identified Mail (DKIM) for the domain
DKIM is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain.[1] It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam.

So lets start by installing the necessary tools that will be used in implantation and configurations of the DKIM System.
At this point we are imagining you have a fully running mail server, and what you need is to implement DKIM to sign your outgoing mails from your domain or several domains

apt-get install opendkim opendkim-tools

After the successfull installation of the tools, we will add  postfix user to the opendkim group to have access to opendkim

adduser postfix opendkim

Then edit the dkims configuration files to match our requirements
Edit the following file

vim /etc/opendkim.conf

and make sure the below lines matches the following settings for our domain

# Sign for with key in /etc/mail/dkim.key using 
# selector '2007' (e.g. 
KeyFile /etc/postfix/dkim.key 
Selector dkim 
SOCKET inet:1234@localhost

The last line on the above configurations  “SOCKET inet:1234@localhost should be added to the file /etc/default/opendkim

Edit /etc/default/opendkim and add

SOCKET inet:1234@localhost

at the end of the file write, save and exit the editor

At this point we need to add some lines to postfix file so that it knows there is opendkim installed and use the settings on it for signing of mails

Edit the file /etc/postfix/ and add the below settings at the end of the file

# -------------------------------------- # 
DKIM Integrations with MTA 
# -------------------------------------- 
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2 
milter_protocol = 6 
milter_default_action = accept 
smtpd_milters = unix:var/run/opendkim/opendkim.sock 
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock 

#smtpd_milters = inet:localhost:1234 
#non_smtpd_milters = inet:localhost:1234

Edit the file /etc/postfix/ and append no_milters to the line receive_override_options  this is found mostly if your using content filters on your mailserver and it will look like the below mail

#Mostly this line will be available in the file if your using milters like amavis 
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

After that we are done with the configurations of the openDKIM with postfix, the remaining part is to generate the key and txt file to be included with our domain and dns

Lets Generate the .key and .private files using the opendkim command below

opendkim-genkey -t -s dkim -d 

# to see the files that has been generated from the above command 


You will see two files as shown below

dkim.private  dkim.txt

Move the dkim.private file to /etc/postfix/ and assign it with the appropriate permision as shown below

mv dkim.private /etc/postfix/dkim.key 
chmod 660 /etc/postfix/dkim.key 
chown root:opendkim /etc/postfix/dkim.key

After that, we will need to restart opendkim and postfix service to take effect of the changes we have made

Create the directory and create the file opendkim.sock

mkdir -p /var/spool/postfix/var/run/opendkim 
touch /var/spool/postfix/var/run/opendkim/opendkim.sock 
chmod 774 /var/spool/postfix/var/run/opendkim/opendkim.sock 
chown opendkim:opendkim /var/spool/postfix/var/run/opendkim

Edit /etc/opendkim.conf and add the below line

Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock

Edit /etc/default/opendkim  comment the default SOCKET and add the below line


Restart the respective services for the changes to take effect

service opendkim start 
service postfix restart

The two files which were generated above using the opendkim-genkey commands contains the key and txt content which will be add onto our domain dns forward file

Copy the content on the .txt file and login onto your DNS management interface, if your using command prompt or web Control Pannel, Add the information as TXT on the DNS management

dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9rulKo58JIb5h+3MMEnYhlnbuVgRoA4w68R/X7qA2Lfv3RpdrrUb+r7KxemIo6PUIOm6uZ5OymhBgpJ0LAWBHBSJjnFmDXNajSgxMOcvkpgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB" ; ----- DKIM key mail for

Save the changes and give sometimes for the domain changes to take effect on the internet, but still you can try to dig and see what is happennig

dig txt

I hope the above command wont give you a proper feedback, because the domain is just for testing purposes, you can try with a domain that is live like, and see what results your getting,

Also if you want to see if your DKIM configuration is done proper and working on fine, I would suggest you send a mail to a Gmail account where they show a pardlock which indicates if the mail was encrypted of not from the sender side.

Many Many thanks and welcome for DKIMing, incase you face any issue, do not hesitate to drop us a comments and we will revert back to you soonest


Troubleshooting link if it wont work with the above basic configurations