Setup DKIM on Postfix with dkim-milter

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

We will be using the milter implementation of dkim http://dkim-milter.sf.net on centos 5.3. This howto has been updated to allow for the following.

• Multiple domains using different keys
• Same domain using different selectors
• Selective signing of email

I provide Centos rpms for Dkim-milter at http://www.topdog-software.com/oss/ so we will install the latest version.

• Install the rpm, ( 32bit and 64bit intel supported )

# wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
# rpm --import andrew_topdog-software.com_key.txt
# http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-2.$(uname -i).rpm

# dkim-genkey -d <domain_name> -s <selector> -t

Replace <domain_name> with the domain name you will be signing the mail for, and <selector> with a selector name it can be anything (but just one word). The command will create two files.

• <selector>.txt - contains the public key you publish via DNS
• <selector>.private - the private key you use for signing your email

Create a sub directory in /etc/mail/dkim/keys to store your key, i prefer to use the domain name <domain_name> as the sub directory name.

# mv <selector>.private /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chmod 600 /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chown dkim-milt.dkim-milt /etc/mail/dkim/keys/<domain_name>/<selector>.pem

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of <selector>.txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and topdog-software.com as the domain_name)

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"
; ----- DKIM default for topdog-software.com

Also add this to your zone file. (This sets your policy see http://www.sendmail.org/dkim/wizard for an explanation or refer to the RFC)

_adsp._domainkey	IN	TXT	"dkim=unknown"

• Edit the file /etc/mail/dkim/keylist and add your domain using the following format

*@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>
#sign only for andrew
andrew@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209

Append the dkim-milter options to the existing milters if you have other milters already configured.

Start dkim-milter and restart postfix

# service dkim-milter start
# service postfix restart

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

• http://www.topdog.za.net/postfix_dkim_milter_centos5.2

Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter/