====== opendkim ======

  * [[Mail Servers]]
  * [[postfix]]

opendkim can sign outgoing email with your SMTP server to match DNS TXT DKIM records.

The selector here, ''nx'' would match a TXT record of ''nx._domainkey.'' on ''beandog.org''. The value of the record would be the public key.

A sample ''opendkim.conf'':

<code>
Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
Domain                  beandog.org
Selector                nx
KeyFile                 /etc/opendkim/beandog.org.private
Socket                  inet:8891@localhost
ReportAddress           postmaster@beandog.org
SendReports             yes
PidFile /run/opendkim/opendkim.pid
UserID milter
Statistics /var/lib/opendkim/stats.dat
</code>

Set the owner of the private key to ''milter'', and permissions to read-only for user (0600).

Start the opendkim service, and configure Postfix to use it:

<code>
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
</code>

Outgoing email is then going to be signed. Setup the DNS records to use it for source verification.

==== Multiple Domains ====

OpenDKIM can sign for multiple domains at once. Instead of using ''Domain'', ''Selector'', and ''KeyFile'' for one domain, they are added to tables instead, one per domain.

Create a KeyTable with this format:

<code>
key-name                domain-name:domain-selector:/location/to/domain-keyfile
</code>

The ''key-name'' is an identifier, and can be whatever you'd like, in this case, I'm using ''rsa-beandog''. Using the same configuration from above, here's what the entry would look like:

<code>
rsa-beandog             beandog.org:nx:/etc/opendkim/beandog.org.private
</code>

Save the contents to a file, and reference it in ''opendkim.conf'':

<code>
KeyTable                /etc/opendkim/keytable
</code>

**Note:** You can still have ''Domain'', ''Selector'' and ''KeyFile'' entries in ''opendkim.conf'' if you'd like, for whatever reason -- adding a ''KeyTable'' will simply override it.

Next, create a signing table, that maps what domains to sign what key with. The contents are the email address or domain name (etc.) and what key you'd like to sign with.

An example here would sign every email from beandog.org with the ''rsa-beandog'' entry from the keytable above:

<code>
*@beandog.org           rsa-beandog
</code>

Since the entry has regular expressions in it, we'll add ''refile'' (regular expression file) as a prefix to ''SingingTable'' and the file location of the signing contents. In ''opendkim.conf'':

<code>
SigningTable             refile:/etc/opendkim/signingtable
</code>

Restart opendkim, and send some emails. With logging enabled, in the temporary directory, you will see both the header added to the email, plus the contents of the message.
==== Logging ====

If debugging, you can turn on lots of logging to see what is happening. Add to ''opendkim.conf'':

<code>
KeepTemporaryFiles      yes
LogResults              yes
LogWhy                  yes
</code>

If you want to specify a specific directory, use ''TemporaryDirectory''.