Table of Contents

opendkim

opendkim can sign outgoing email with your SMTP server to match DNS TXT DKIM records.

The selector here, nx would match a TXT record of nx._domainkey. on beandog.org. The value of the record would be the public key.

A sample opendkim.conf:

Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
Domain                  beandog.org
Selector                nx
KeyFile                 /etc/opendkim/beandog.org.private
Socket                  inet:[email protected]
ReportAddress           [email protected]
SendReports             yes
PidFile /run/opendkim/opendkim.pid
UserID milter
Statistics /var/lib/opendkim/stats.dat

Set the owner of the private key to milter, and permissions to read-only for user (0600).

Start the opendkim service, and configure Postfix to use it:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Outgoing email is then going to be signed. Setup the DNS records to use it for source verification.

Multiple Domains

OpenDKIM can sign for multiple domains at once. Instead of using Domain, Selector, and KeyFile for one domain, they are added to tables instead, one per domain.

Create a KeyTable with this format:

key-name                domain-name:domain-selector:/location/to/domain-keyfile

The key-name is an identifier, and can be whatever you'd like, in this case, I'm using rsa-beandog. Using the same configuration from above, here's what the entry would look like:

rsa-beandog             beandog.org:nx:/etc/opendkim/beandog.org.private

Save the contents to a file, and reference it in opendkim.conf:

KeyTable                /etc/opendkim/keytable

Note: You can still have Domain, Selector and KeyFile entries in opendkim.conf if you'd like, for whatever reason – adding a KeyTable will simply override it.

Next, create a signing table, that maps what domains to sign what key with. The contents are the email address or domain name (etc.) and what key you'd like to sign with.

An example here would sign every email from beandog.org with the rsa-beandog entry from the keytable above:

*@beandog.org           rsa-beandog

Since the entry has regular expressions in it, we'll add refile (regular expression file) as a prefix to SingingTable and the file location of the signing contents. In opendkim.conf:

SigningTable             refile:/etc/opendkim/signingtable

Restart opendkim, and send some emails. With logging enabled, in the temporary directory, you will see both the header added to the email, plus the contents of the message.

Logging

If debugging, you can turn on lots of logging to see what is happening. Add to opendkim.conf:

KeepTemporaryFiles      yes
LogResults              yes
LogWhy                  yes

If you want to specify a specific directory, use TemporaryDirectory.