DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.
I previously wrote about setting up DKIM using dkim-milter, dkim-milter has since been depreciated.
We will be using the OpenDKIM implementation Centos, OpenDKIM is a fork of dkim-milter.
yum install opendkim
Generate the Keys
opendkim-genkey -d <domain_name> -s <selector>
.txt - contains the public key you publish via DNS
.private - the private key you use for signing your email
Create a sub directory in /etc/opendkim/keys to store your key, i prefer to
use the domain name
# mv <selector>.private /etc/opendkim/keys/<domain_name>/<selector>.pem # chmod 600 /etc/opendkim/keys/<domain_name>/<selector>.pem # chown opendkim.opendkim /etc/opendkim/keys/<domain_name>/<selector>.pem
You need to publish your public key via DNS, client servers use this key to
verify your signed email. The contents of
default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for example.com
Edit /etc/opendkim.conf comment out "KeyFile /etc/opendkim/keys/default.private" and uncomment "#KeyTable /etc/opendkim/KeyTable"
Edit the file /etc/opendkim/KeyTable and add your domain using the following format
Add your servers IP addresses to /etc/opendkim/TrustedHosts
More advanced configuration options can be set in the file /etc/opendkim.conf
You need to add the following options to the postfix main.cf file to enable it to use the milter.
smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Append the OpenDKIM options to the existing milters if you have other milters already configured.
Start OpenDKIM and restart postfix
# service opendkim start # service postfix restart
Send an email to email@example.com or firstname.lastname@example.org, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.
blog comments powered by Disqus