DKIM installation on Debian

 

This is a quick and fairly painless way of setting up DKIM, on a postfix server. DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message and helps verify that your mail is legitimate. This will help your email not get flagged a spam or fraud, especially if you are doing bulk emailing or important emails.

This tutorial is written for debian, so if using centos the paths to some files may be /etc/mail prefix or similar.

First, install dkim-filters

Debian based

apt-get install dkim-filter

Redhat Based

Enable EPEL

yum install dkim-milter

Setup a domain key for a domain – feel free to setup a few of these if needed

DKIMDOMAIN=yourdomain.com
mkdir -p /etc/dkim/keys/$DKIMDOMAIN
cd /etc/dkim/keys/$DKIMDOMAIN
dkim-genkey -r -d $DKIMDOMAIN

If you want an easy web based way check out http://www.socketlabs.com/services/dkwiz which also gives you the DNS records.

Create a file /etc/dkim-keys.conf and insert into it a line like this (replacing 'domain.com' with your own domain)

*@domain.com:domain.com:/etc/dkim/keys/domain.com/default.private

If you have problems, rename the default.private to just 'default' and use the website mentioned above to generate the keys. I found occasionally the command line generation failed on some distros .

If you used command line then check the file at /etc/dkim/keys/yourdomain/default.txt which will have something like this

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0frgfrefgrweferNYlS+8jyrbAxNsghsPrWYgOQQWI0Ab4e9MT" ; —– DKIM default for yourdomain.com

Yours should be much longer, this was snipped for brevity. You need to add the TXT record default._domainkey with the key between the quotes. If you are using standard bind then you can copy/paste that into the named file.

NOTE: Newer versions use default.private._domainkey

Another TXT record worth adding is

_domainkey IN TXT t=y;o=~;

Now look for and edit your /etc/dkim-filter.conf (Debian based distros may have this in /etc/dkim/dkim-filter.conf ).
You need to have 2 lines like this

KeyList /etc/dkim-keys.conf
Socket inet:8891@localhost

If you use debian you need to also edit /etc/default/dkim-filter and have the socket in there as SOCKET="inet:8891@localhost"

Then restart the DKIM filter

/etc/init.d/dkim-filter restart

Now add the following code into the postifx config. This goes into main.cf (/etc/postfix/main.cf )

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Then of course restart postfix

postfix reload

This should now sign emails going out with the domain key, it pays to use this webpage to check things are working http://www.brandonchecketts.com/emailtest.php .

Resources:

http://protodave.com/security/checking-your-dkim-dns-record/

http://www.port25.com/support/domainkeysdkim-wizard/

http://blogs.cisco.com/security/common_errors_causing_dkim_verification_failures/

http://blog.rimuhosting.com/2012/05/17/setting-up-domains-keys-dkim-on-postfix/

http://www.brandonchecketts.com/emailtest.php?email=UZgMB0ZNwZ%40www.brandonchecketts.com

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.