Quick And Easy Setup For DomainKeys Using Ubuntu, Postfix And Dkim-Filter

This is a quick tutorial for setting up DomainKeys on Ubuntu (I used 6.06LTS - but should work the same on others) using dkim-filter with Postfix so emails from your domain will not constantly end up in Yahoo's spam filter.

First install dkim-filter from the respositories:

sudo apt-get install dkim-filter

Next create a location for storing the public and private keys required:

sudo mkdir /var/dkim-filter

Enter into that directory and create keys:

cd /var/dkim-filter

sudo openssl genrsa -out private.key 1024

sudo openssl rsa -in private.key -out public.key -pubout -outform PEM

Edit dkim-filter configuration file, almost everything is commented out by default. Here is a copy of my config. Replace DOMAIN.TLD with your domain name.

# Log to syslog
  Syslog			yes
  # Required to use local socket with MTAs that access the socket as a non-
  # privileged user (e.g. Postfix)
#UMask			002

# Sign for example.com with key in /etc/mail/dkim.key using
  # selector '2007' (e.g. 2007._domainkey.example.com)
  Domain	DOMAIN.TLD		
  KeyFile		/var/dkim-filter/private.key
  Selector		mail 

# Common settings. See dkim-filter.conf(5) for more information.
  AutoRestart		no
  Background		yes
  Canonicalization	simple
  DNSTimeout		5
  Mode			sv
  SignatureAlgorithm	rsa-sha256
  SubDomains		no
  UseSSPDeny		no
  X-Header		no

At this point you should be able to successfully start the service and check for any errors in the syslog.

sudo /etc/init.d/dkim-filter start

Now add the selector and public key info into your DNS zone file. Change the DOMAIN.TLD to match your domain name, and add the key contents from: /var/dkim-filter/public.key after the p=

Make sure there are no spaces or line breaks!


mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"

Edit  the Postfix configuration file...

sudo vi /etc/postfix/main.cf

... and add the following to the bottom of the file:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Next restart BIND and Postfix:

sudo /etc/init.d/bind9 restart

sudo /etc/init.d/postfix restart

Test by sending a mail to a Yahoo account, check the header for DomainKeys status.

Share this page:

11 Comment(s)

Add comment


From: Anonymous

I just ran through this with ubuntu 8.04 perfect server w/ispconfig 2 installed and it went smoothly.

double check /etc/dkim-filter.conf and make sure you have domain and selector uncommented and set correctly...

also, your DNS zone file edit is a little confusing

mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"

so, if your domain is friskycritters.org the line would read:

mail._domainkey.friskycritters.org. IN TXT ....

ALSO.... make sure when you paste your public key, you remove all line breaks so it fits all on one line and ends with a quote "

Hope this helps


From: djmixx07

Hi, I'm just starting to learn with this kind of stuff. I'm lost at this part saying that I need to edit my DNS zone file. DNS zone file? Where can I find this file to edit so I can add " mail._domainkey.DOMAIN.TLD. IN TXT.. ". Please help because I'm getting "warning: connect to Milter service inet:localhost:8891: Connection refused" in my mail log.


From: Vlad

I followed exactly your steps but this is the error I encountered:

Mar  1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: can't read SMFIC_OPTNEG reply packet header: Connection timed out
Mar  1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: read error in initial handshake

On the other hand I have dk-filter running perfectly on 8892.

Can you give me some advice? Thank you in advance...

From: Anonymous

Hi, do you have a solution. I'm facing the exact same problem :?

From: Sven Andreassen

For those of you who reached this far in trying to resolve this problem. You might want to check this one out:


 For some reason dkim-filter uses TCP for dns queries..

 At least it solved my problem.

 Regards, Sven



After testing, the "t=y" flag in the DNS entry should be removed because this flag indicates that the DKIM implementation is for testing purposes.

See page 27 of RFC 4871

From: nima0102

thanks for good article I have configured the same as this article,but in /var/log/mail.log, warning is logged : "postfix/cleanup[22889]: warning: connect to Milter service inet:localhost:8891: Connection refused" but i do not know about this issue. thanks for any help or guidance

From: Julien

Be sure you change /etc/default/dkim-filter so that dkim-filter uses TCP and not a local socket



From: Anonymous

So how would you change to a tcp from a local socket.

use inet:8891@tcp ??

sorry i'm a newbie... and have followed only this tutorial even though i have read many.

Now i can't even recieve emails in my thunderbird client from the mail server, Looks like my smtp settings are messed up with this domain key verification.


my postfix logs show

Oct  5 12:57:29 drop dkim-filter[24850]: 72FDF1070EB6: no signature data 

i suspect this may be because i'm not using the selectors correctly in this instance

from the tutorial

# selector '2007' (e.g. 2007._domainkey.example.com)

I have the DOMAIN.TLD

we send mail using the subdomain MAIL.DOMAIN.TLD

the machine name is BOX1.DOMAIN.TLD or BOX2.DOMAIN.TLD depending on what's being sent

which of these do i put in the selector?

likewise which to i put in my dns file (tinydns if that matters)

From: Pety

I have instaled ispconfig 3 with postfix and squirrelmail. I have tried to implement domain-keys, but is not working properly. First of all I think the problem is from my 'txt record'.

My error log shows me:

last message repeated 3 times

imapd: Error reading ACLs for : Invalid argument


And my emails are still unsigned! 

Can someone help me pls!