Table of Contents


opendkim can sign outgoing email with your SMTP server to match DNS TXT DKIM records.

The selector here, nx would match a TXT record of nx._domainkey. on The value of the record would be the public key.

A sample opendkim.conf:

Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
Selector                nx
KeyFile                 /etc/opendkim/
Socket                  inet:[email protected]
ReportAddress           [email protected]
SendReports             yes
PidFile /run/opendkim/
UserID milter
Statistics /var/lib/opendkim/stats.dat

Set the owner of the private key to milter, and permissions to read-only for user (0600).

Start the opendkim service, and configure Postfix to use it:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Outgoing email is then going to be signed. Setup the DNS records to use it for source verification.

Multiple Domains

OpenDKIM can sign for multiple domains at once. Instead of using Domain, Selector, and KeyFile for one domain, they are added to tables instead, one per domain.

Create a KeyTable with this format:

key-name                domain-name:domain-selector:/location/to/domain-keyfile

The key-name is an identifier, and can be whatever you'd like, in this case, I'm using rsa-beandog. Using the same configuration from above, here's what the entry would look like:


Save the contents to a file, and reference it in opendkim.conf:

KeyTable                /etc/opendkim/keytable

Note: You can still have Domain, Selector and KeyFile entries in opendkim.conf if you'd like, for whatever reason – adding a KeyTable will simply override it.

Next, create a signing table, that maps what domains to sign what key with. The contents are the email address or domain name (etc.) and what key you'd like to sign with.

An example here would sign every email from with the rsa-beandog entry from the keytable above:

*           rsa-beandog

Since the entry has regular expressions in it, we'll add refile (regular expression file) as a prefix to SingingTable and the file location of the signing contents. In opendkim.conf:

SigningTable             refile:/etc/opendkim/signingtable

Restart opendkim, and send some emails. With logging enabled, in the temporary directory, you will see both the header added to the email, plus the contents of the message.


If debugging, you can turn on lots of logging to see what is happening. Add to opendkim.conf:

KeepTemporaryFiles      yes
LogResults              yes
LogWhy                  yes

If you want to specify a specific directory, use TemporaryDirectory.