Set Up Postfix DKIM With dkim-milter

This howto has been superseded by


DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

We will be using the milter implementation of dkim on CentOS 5.1



Install the rpm, ignore dependencies as csh is a dependency but it does not affect dkim-milter; it's only required for some sample scripts that are shipped with the rpm.

rpm -Uvh --nodeps
mkdir /etc/dkim-milter
chown dkim-milt.dkim-milt /etc/dkim-milter
chmod 700 /etc/dkim-milter
chgrp postfix /var/run/dkim-milter
chmod 770 /var/run/dkim-milter


Generate The Keys

Download this script that you can use to easily generate the keys for signing the mail:

./ -d <domainname>

Replace <domainname> with the domain name you will be signing mail for. This will create two files default.txt and default.private, default.txt is the line you need to add to your zone file - a sample is below:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"
; ----- DKIM default for

default.private contains your private key. Move this file into /etc/dkim-milter and rename it <domainname>_default.key.pem:

mv default.private /etc/dkim-milter/<domainname>_default.key.pem

Edit the file /etc/sysconfig/dkim-milter and set the variables:

EXTRA_ARGS="-h -l -D"


Init Script Fix

Install my modified init script as the one that is supplied with the rpm has a bug.

wget -O /etc/init.d/dkim-milter
chkconfig --level 345 dkim-milter on
service dkim-milter start


Configure Postfix

Add this to the postfix configuration file /etc/postfix/

smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
non_smtpd_milters = unix:/var/run/dkim-milter/dkim.sock

Append to the existing milters if you have other milters already configured.

Start dkim-milter and restart Postfix:

 service dkim-milter start

service postfix restart



Send a message to [email protected]; the system will return a response to let you know if DKIM is working. Examine the headers of mails from domains like gmail to see if your system is checking the DKIM signatures of inbound mail.

DKIM mail in Gmail

Share this page:

Suggested articles

14 Comment(s)

Add comment


By: Acorp

Everybody probably already knows this, but the options are missing on the RPM line above in the "installation" section. It should be (at least for my CentOS 5.2 installation):

rpm -Uvh --nodeps

 instead of:

rpm --nodeps

- Paul Rupp, Acorp Computers [Brookings, South Dakota]

By: Victor

Hi all,

I already followed the guidelines, everything seemed fine. However, when I sent an email to a yahoo email address, we could not pass the domain authorization check and find the signature as well.

In addition, we also found that there was no any domain signature header to be appended in an email when we sent it to yahoo.

Do any linux expert know the reason? this problem really annoys us and we are very frustrated now. Please help !!!

By: Mr Yusufu

I have set it up too and everything seems to work fine until I send a mail to yahoo and get no verification.

I proceed to check the headers and I see the following lines.

I believe there are some tags missing.

 There are no errors posted in my /etc/postfix/maillog

 X-DKIM: Sendmail DKIM Filter v2.2.1 <server hostname> 36C1921CA17
Message-ID: <[email protected]>

 What do I need to check for the full dkim tags to be appended to the messages?


Yahoo still uses domainkeys not DKIM

By: jnixus

Hi topdog, what are you basing that theory on? I do DKIM checks all the time on yahoo. An to be honest, yahoo is one of the few that leads on the DKIM front.

 Tell us more please.


Yes thats what you do for multiple domains, they need to use the same key though.

By: Tanczos Andras

I've made some minor changes to your init script to work with multiple domains:

> PORTS=()
>   PORTS[${NUM}]="$LPORT"
<               if [[ ! -z $(echo $PORT |grep "local") && $RETVAL -eq 0  ]]; then
<                         TPORT=$(echo $PORT | sed -e "s/local://")
>               if [[ ! -z $(echo ${PORTS[$i]} |grep "local") && $RETVAL -eq 0  ]]; then
>                         TPORT=$(echo ${PORTS[$i]} | sed -e "s/local://")

By: rs87

Hi Andras

I tried to setup this. But it seems that doesn´t work. What must I write in my /etc/sysconfig/dkim-milter to use it with multiple domains


Like this?



This howto is dated, if you want flexibility with multiple domains just grab my newer rpm's at


Thanks for this. It's a good intro to getting DKIM up and running but it lacks some functionality, particularly multiple domains / keys (keylist). For production use you'd be better of building from source (you'll need dev packages for sendmail and openssl) or just grab the Fedora 10 dkim-milter rpm and hack that its worth the effort.


post you message headers lets see may be they have changed, as far as i know google was leading with DKIM adoption.

By: Anonymous

Hi everyone,

I recently went through the updated tutorial ( and had some issues getting my dkim to work. My outbound mail would contain the signature, but when I ran the email tests they would fail. I found out that I had not formatted my txt dns entry correctly (I use network solutions and had to enter it in 2 parts using their ADNS manager).

Per some of the dkim documentation (, if you have s=selector.pem and d=something.tld tags in your signature (which after following the tutorial, I did have), the proper dns name for the txt record should be selector.pem._domainkey.something.tld

For example:


the txt dns record should be addressible like this:

Note: If you use network  solutions for your dns, pay attention to the notices about what constitutes an acceptable txt entry. It should be listed on the page where you enter your txts.

By: SteveJ

I've created an updated howto for DKIM on CentOS here here.

By: Steve Jenkins

FYI - the dkim-milter package has been abandoned for years and has been replaced by OpenDKIM (which was forked from dkim-milter in 2009). OpenDKIM is in the Fedora 14+ repos and EPEL for RHEL/CentOS users. Just do "yum install opendkim"

More info on OpenDKIM at