DKIM Configuration in PostFix3 min read

DomainKeys Identified Mail (DKIM)  take responsibility for a message that is in transit.  DKIM provides a header while sending a mail. It works with DNS server. It provide high ham rate for the emails.

Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. DKIM provides email security.

DKIM and SPF works together to provide a better email security. Here we are configuring only DKIM  in this doc.




Make sure that you have a working email server using postfix as MTA(mail Transfer Agent), Here I’ve used Kolab mail server.

Login to mail Server using ssh

Before starting the installation, a system update is recommended:
sudo apt-get update
sudo apt-get dist-upgrade

Install OpenDKIM and it’s dependencies:
sudo apt-get install opendkim opendkim-tools

Configure OpenDKIM
vi /etc/opendkim.conf

Append the following lines to the end of the conf file
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301@localhost

Connect the milter to Postfix:
vi /etc/default/opendkim
Add the following line

Configure postfix to use this milter:
vi /etc/postfix/

Make sure that these two lines are present in the Postfix config file and are not commented out:
milter_protocol = 2
milter_default_action = accept
smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301

Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys:
mkdir /etc/opendkim
mkdir /etc/opendkim/keys

Specify trusted hosts:
vi /etc/opendkim/TrustedHosts

Customize and add the following lines to the newly created file. Multiple domains can be specified, do not edit the first three lines:


Create a key table:

vi /etc/opendkim/KeyTable
Note: No need to change mail selector eventhough the hostname is

Create a signing table:
vi /etc/opendkim/SigningTable
Generate the public and private keys
Change to the keys directory:

cd /etc/opendkim/keys
Create a separate folder for the domain to hold the keys:

Generate the keys:
sudo opendkim-genkey -s mail -d

Change the owner of the private key to opendkim:
sudo chown opendkim:opendkim mail.private

Add the public key to the domain’s DNS records
vi mail.txt

DNS Configuration

Login to the godaddy or the hosting website where the domain is hosted and add the TXT record.
Copy that key and add a TXT record to your domain’s DNS entries:


Note: While adding the DNS TXT record remove the “ before and after v=DKIM and p=SBVDSHBFDSBFKJDSN CNSDJCNFIN3R32E4324
Now the configuration of DKIM is completed.

How to verify DKIM on Postfix

Send a mail to and a reply will be received. If everything works correctly you should see DKIM check: pass under Summary of Results.
Summary of Results
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

Alternative way:
Goto the website and send a mail to the mail id which is displays in the website . Click submit in which the message header will shows DKIM=pass.


Prabhin Prabharkaran Administrator
DevOps Engineer

He is a Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!

follow me
We need your support!!
Other Amount:
Questions Answered
Articles Written
Overall Points

Prabhin Prabharkaran

He is Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!!

You may also like...

1 Response

  1. gregB says:

    for the record, you might need
    $signed_header_fields{‘received’} = 0;
    in amavis conf, otherwise signing fails.

Leave a Reply