
Introduction to DKIM
You’re wondering how DKIM works? DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages' content is trustworthy, meaning that they weren't changed from the moment a message left the initial mail server. This additional layer of trust ability is achieved by an implementation of the standard public/private key signing process. Once again, the owners of the domain add a DNS entry with the public DKIM key which will be used by receivers to verify that the message DKIM signature is correct, while on the sender side the server will sign the entitled mail messages with the corresponding private key.
- when sending an outgoing message, the last server within the domain infrastructure checks against its internal settings if the domain used in the "From:" header is included in its "signing table". If not, the process stops here
- a new header, called "DKIM-Signature", is added to the mail message by using the private part of the key on the message content
- from here on the message main content cannot be modified otherwise the DKIM header won't match anymore
- upon reception, the receiving server will make a TXT DNS query to retrieve the key used in the DKIM-Signature field
- the DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy
It works similarly to a SSL certificate. Within the server configuration, a private key is generated, which marks all outgoing email, while a public key is written in the domain DNS zone as a TXT, which deciphers the signature.
Update System
First things first. Like always, first of all, we recommend updating your server. Also, make sure you’re in a screen session:
screen -U -S opendkim-screen
yum update -y
Enabling EPEL Repository
OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKI:
Installing OpenDKIM
Install the package using yum:
OpenDKIM configuration
The next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup:
cp /etc/opendkim.conf{,.orig}
nano /etc/opendkim.conf
and add/edit the following:
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
Setting Up Public/Private Keys
Generate a set of keys for your "your_domain.com" domain name:
mkdir /etc/opendkim/keys/your_domain.com
opendkim-genkey -D /etc/opendkim/keys/your_domain.com/ -d your_domain.com -s default
chown -R opendkim: /etc/opendkim/keys/your_domain.com
mv /etc/opendkim/keys/your_domain.com/default.private /etc/opendkim/keys/your_domain.com/default
add your_domain.com to OpenDKIM’s key table:
nano /etc/opendkim/KeyTable
by adding the following record:
default._domainkey.your_domain.com your_domain.com:default:/etc/opendkim/keys/your_domain.com/default
next, edit /etc/opendkim/SigningTable:
nano /etc/opendkim/SigningTable
and add the following record to OpenDKIM’s signing table:
*@your_domain.com default._domainkey.your_domain.com
and in /etc/opendkim/TrustedHosts:
nano /etc/opendkim/TrustedHosts
add your domain and your hostname as trusted hosts:
127.0.0.1
your_domain.com
your_servers_hostname.com
Adding the Public Key to The Domain's DNS Records
Next up is the DNS record setup. How you do this is again completely dependent on how you manage DNS or how it is managed for you - everyone's tools are different. Note that some registrars do not let you create raw TXT records with specific subdomains, which will prevent you from creating DKIM TXT records. If this is the case, then you will have to transfer your domain to a real registrar that lets you play with all the toys. Or you can simply use our DNS management system!
You can find information about your public key in /etc/opendkim/keys/your_domain.com/default.txt file:
cat /etc/opendkim/keys/your_domain.com/default.txt
Here is how it looks on our DNS management system:

If Using Postfix
In order to integrate OpenDKIM with Postfix we need to add the following few lines:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
in /etc/postfix/main.cf:
nano /etc/postfix/main.cf
Next is adding OpenDKIM to your system’s start-up and start opendkim and restart Postfix using the following commands:
service opendkim start
chkconfig opendkim on
service postfix restart
If Using EXIM
Set-up Exim to use OpenDKIM for signing the emails by editing /etc/exim/exim.conf:
and adding the following to the remote_smtp transport:
remote_smtp:
driver = smtp
dkim_domain = $sender_address_domain
dkim_selector = default
dkim_private_key = ${if exists{/etc/opendkim/keys/$sender_address_domain/default}{/etc/opendkim/keys/$sender_address_domain/default}{0}}
dkim_canon = relaxed
dkim_strict = 0
restart Exim and Opendkim for the changes to take effect using:
service opendkim start
chkconfig opendkim on
service exim restart
Testing
First of all, give the DNS changes a chance to propagate before using them. The decent testing service is Mail Tester.
Now you have all the required information to know how and why setup DKIM. Keep your inbox clean and safe!