Quick And Easy Setup For DomainKeys Using Ubuntu, Postfix And Dkim-Filter

Want to support HowtoForge? Become a subscriber!
Submitted by johnwilson1969 (Contact Author) (Forums) on Mon, 2009-01-05 14:09. :: Ubuntu | Postfix

Quick And Easy Setup For DomainKeys Using Ubuntu, Postfix And Dkim-Filter

This is a quick tutorial for setting up DomainKeys on Ubuntu (I used 6.06LTS - but should work the same on others) using dkim-filter with Postfix so emails from your domain will not constantly end up in Yahoo's spam filter.

First install dkim-filter from the respositories:

sudo apt-get install dkim-filter

Next create a location for storing the public and private keys required:

sudo mkdir /var/dkim-filter

Enter into that directory and create keys:

cd /var/dkim-filter

sudo openssl genrsa -out private.key 1024

sudo openssl rsa -in private.key -out public.key -pubout -outform PEM

Edit dkim-filter configuration file, almost everything is commented out by default. Here is a copy of my config. Replace DOMAIN.TLD with your domain name.

# Log to syslog
  Syslog			yes
  # Required to use local socket with MTAs that access the socket as a non-
  # privileged user (e.g. Postfix)
#UMask			002

# Sign for example.com with key in /etc/mail/dkim.key using
  # selector '2007' (e.g. 2007._domainkey.example.com)
  Domain	DOMAIN.TLD		
  KeyFile		/var/dkim-filter/private.key
  Selector		mail 

# Common settings. See dkim-filter.conf(5) for more information.
  AutoRestart		no
  Background		yes
  Canonicalization	simple
  DNSTimeout		5
  Mode			sv
  SignatureAlgorithm	rsa-sha256
  SubDomains		no
  UseSSPDeny		no
  X-Header		no

At this point you should be able to successfully start the service and check for any errors in the syslog.

sudo /etc/init.d/dkim-filter start

Now add the selector and public key info into your DNS zone file. Change the DOMAIN.TLD to match your domain name, and add the key contents from: /var/dkim-filter/public.key after the p=

Make sure there are no spaces or line breaks!


mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"

Edit  the Postfix configuration file...

sudo vi /etc/postfix/main.cf

... and add the following to the bottom of the file:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Next restart BIND and Postfix:

sudo /etc/init.d/bind9 restart

sudo /etc/init.d/postfix restart

Test by sending a mail to a Yahoo account, check the header for DomainKeys status.

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Pety (not registered) on Thu, 2010-12-09 09:52.

I have instaled ispconfig 3 with postfix and squirrelmail. I have tried to implement domain-keys, but is not working properly. First of all I think the problem is from my 'txt record'.

My error log shows me:

last message repeated 3 times

imapd: Error reading ACLs for : Invalid argument


And my emails are still unsigned! 

Can someone help me pls!

Submitted by iamdecal (registered user) on Tue, 2010-10-05 13:13.

my postfix logs show

Oct  5 12:57:29 drop dkim-filter[24850]: 72FDF1070EB6: no signature data 

i suspect this may be because i'm not using the selectors correctly in this instance

from the tutorial

# selector '2007' (e.g. 2007._domainkey.example.com)

I have the DOMAIN.TLD

we send mail using the subdomain MAIL.DOMAIN.TLD

the machine name is BOX1.DOMAIN.TLD or BOX2.DOMAIN.TLD depending on what's being sent

which of these do i put in the selector?

likewise which to i put in my dns file (tinydns if that matters)

Submitted by nima0102 (not registered) on Mon, 2009-06-29 21:59.
thanks for good article I have configured the same as this article,but in /var/log/mail.log, warning is logged : "postfix/cleanup[22889]: warning: connect to Milter service inet:localhost:8891: Connection refused" but i do not know about this issue. thanks for any help or guidance
Submitted by Julien (not registered) on Fri, 2009-07-17 17:42.

Be sure you change /etc/default/dkim-filter so that dkim-filter uses TCP and not a local socket



Submitted by Anonymous (not registered) on Fri, 2010-12-03 01:39.

So how would you change to a tcp from a local socket.

use inet:8891@tcp ??

sorry i'm a newbie... and have followed only this tutorial even though i have read many.

Now i can't even recieve emails in my thunderbird client from the mail server, Looks like my smtp settings are messed up with this domain key verification.

Submitted by rieschl (registered user) on Fri, 2009-06-26 11:34.

After testing, the "t=y" flag in the DNS entry should be removed because this flag indicates that the DKIM implementation is for testing purposes.

See page 27 of RFC 4871

Submitted by Vlad (not registered) on Sun, 2009-03-01 10:06.

I followed exactly your steps but this is the error I encountered:

Mar  1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: can't read SMFIC_OPTNEG reply packet header: Connection timed out
Mar  1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: read error in initial handshake

On the other hand I have dk-filter running perfectly on 8892.

Can you give me some advice? Thank you in advance...

Submitted by Anonymous (not registered) on Tue, 2009-03-24 22:04.

I just ran through this with ubuntu 8.04 perfect server w/ispconfig 2 installed and it went smoothly.

double check /etc/dkim-filter.conf and make sure you have domain and selector uncommented and set correctly...

also, your DNS zone file edit is a little confusing

mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"

so, if your domain is friskycritters.org the line would read:

mail._domainkey.friskycritters.org. IN TXT ....

ALSO.... make sure when you paste your public key, you remove all line breaks so it fits all on one line and ends with a quote "

Hope this helps


Submitted by djmixx07 (not registered) on Wed, 2010-06-16 08:20.

Hi, I'm just starting to learn with this kind of stuff. I'm lost at this part saying that I need to edit my DNS zone file. DNS zone file? Where can I find this file to edit so I can add " mail._domainkey.DOMAIN.TLD. IN TXT.. ". Please help because I'm getting "warning: connect to Milter service inet:localhost:8891: Connection refused" in my mail log.


Submitted by Anonymous (not registered) on Sat, 2009-03-21 03:43.
Hi, do you have a solution. I'm facing the exact same problem :?
Submitted by Sven Andreassen (not registered) on Thu, 2010-06-03 14:58.

For those of you who reached this far in trying to resolve this problem. You might want to check this one out:


 For some reason dkim-filter uses TCP for dns queries..

 At least it solved my problem.

 Regards, Sven