Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2
9 Edit your Postfix configuration
Add the following lines at the end of your Postfix main.cf file, which will make Postfix aware of OpenDKIM and allow it to sign and verify mail:
vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept milter_protocol = 2
10 Start OpenDKIM and restart Postfix
Assuming you're using bash, do:
hash -r
to rehash your shell so you can find the init script.
Now let's to stop sendmail from starting on CentOS:
chkconfig --del sendmail
Start OpenDKIM:
service opendkim start
You should get a message that says:
Starting OpenDKIM Milter: [ OK ]
However, if you get an error message such as:
Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 5: unrecognized parameter
You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this HowTo. Then try starting up OpenDKIM again.
Once it starts, restart Postfix with:
/etc/init.d/postfix restart
If everything looks good, let's run chkconfig on OpenDKIM to make sure it starts when you boot your server:
chkconfig --level 2345 opendkim on
If you get some errors, try some of these startup troubleshooting tips before moving on.
11 Startup troubleshooting tips
Tip 1: The best place to start troubleshooting any mail issues (including OpenDKIM) is to check your maillog file:
tail -f /var/log/maillog
while you're starting, stopping, and/or restarting OpenDKIM and Postfix. This allows you to see more details about any errors in your configuration.
Tip 2: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn't getting signed and you want to know why, this should tell you.
12 Adding DNS Records
Now that your mail server is signing outgoing mail and verifying incoming mail, you'll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed.
cat /etc/opendkim/keys/example.com/default.txt
The output should look something like this:
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4" ; ----- DKIM default for example.com
Now create a DNS record for your domain and paste the entire contents of the /etc/opendkim/keys/example.com/default.txt file at the bottom of your domain's zone file, the TXT Name would default._domainkey and the TXT Value would be everything inside the quotes (starting with v=). You can ignore the semi-colon and comments at the end.
Make sure you follow the instructions of your DNS provider for adding a new TXT Record to your domain.
Now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.
13 Testing your setup
The best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file.
tail -f /var/log/maillog
When OpenDKIM starts (or restarts), you should see lines like:
opendkim[4397]: OpenDKIM Filter: mi_stop=1
opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0
opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf)
When you send a mail that gets successfully signed, you should see:
opendkim[22254]: 53D0314803B: DKIM-Signature header added
The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services:
- Send a signed email to: [email protected]
- Send a signed email to: [email protected]
Each of these services will return an email telling you if things are working properly, and give you some pointers on troubleshooting if needed.
14 Upgrading OpenDKIM
If you would like to upgrade to a newer version of OpenDKIM, simply download the updated version and follow the guide to compile and install OpenDKIM with these steps:
tar zxvf opendkim-2.4.2.tar.gz
cd opendkim-2.4.2
./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var
make
make install
This will upgrade your OpenDKIM and keep your existing configuration intact. Remember to restart OpenDKIM after your upgrade with:
/etc/init.d/opendkim restart
Then verify that the newer version started up with no problems:
tail -f /var/log/maillog
15 Links
DKIM.org -- The official site for DomainKeys Identified Mail.
OpenDKIM.org -- OpenDKIM Project Site.
OpenSPF.org -- A very good spam-fighting technique that you should be using if you're sending email.