Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2

9 Edit your Postfix configuration

Add the following lines at the end of your Postfix file, which will make Postfix aware of OpenDKIM and allow it to sign and verify mail:

vi /etc/postfix/

smtpd_milters           = inet:
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol		= 2


10 Start OpenDKIM and restart Postfix

Assuming you're using bash, do:

hash -r

to rehash your shell so you can find the init script.

Now let's to stop sendmail from starting on CentOS:

chkconfig --del sendmail

Start OpenDKIM:

service opendkim start

You should get a message that says:

Starting OpenDKIM Milter: [ OK ]

However, if you get an error message such as:

Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 5: unrecognized parameter

You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this HowTo. Then try starting up OpenDKIM again.

Once it starts, restart Postfix with:

/etc/init.d/postfix restart

If everything looks good, let's run chkconfig on OpenDKIM to make sure it starts when you boot your server:

chkconfig --level 2345 opendkim on

If you get some errors, try some of these startup troubleshooting tips before moving on.


11 Startup troubleshooting tips

Tip 1: The best place to start troubleshooting any mail issues (including OpenDKIM) is to check your maillog file:

tail -f /var/log/maillog

while you're starting, stopping, and/or restarting OpenDKIM and Postfix. This allows you to see more details about any errors in your configuration.

Tip 2: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn't getting signed and you want to know why, this should tell you.


12 Adding DNS Records

Now that your mail server is signing outgoing mail and verifying incoming mail, you'll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed.

cat /etc/opendkim/keys/

The output should look something like this:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4" ; ----- DKIM default for

Now create a DNS record for your domain and paste the entire contents of the /etc/opendkim/keys/ file at the bottom of your domain's zone file, the TXT Name would default._domainkey and the TXT Value would be everything inside the quotes (starting with v=). You can ignore the semi-colon and comments at the end.

Make sure you follow the instructions of your DNS provider for adding a new TXT Record to your domain.

Now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.


13 Testing your setup

The best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file.

tail -f /var/log/maillog

When OpenDKIM starts (or restarts), you should see lines like:

opendkim[4397]: OpenDKIM Filter: mi_stop=1
opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0
opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf)

When you send a mail that gets successfully signed, you should see:

opendkim[22254]: 53D0314803B: DKIM-Signature header added

The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services:

- Send a signed email to: [email protected]
- Send a signed email to: [email protected]

Each of these services will return an email telling you if things are working properly, and give you some pointers on troubleshooting if needed.


14 Upgrading OpenDKIM

If you would like to upgrade to a newer version of OpenDKIM, simply download the updated version and follow the guide to compile and install OpenDKIM with these steps:

tar zxvf opendkim-2.4.2.tar.gz
cd opendkim-2.4.2
./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var
make install

This will upgrade your OpenDKIM and keep your existing configuration intact. Remember to restart OpenDKIM after your upgrade with:

/etc/init.d/opendkim restart

Then verify that the newer version started up with no problems:

tail -f /var/log/maillog -- The official site for DomainKeys Identified Mail. -- OpenDKIM Project Site. -- A very good spam-fighting technique that you should be using if you're sending email.

Share this page:

8 Comment(s)