Setting up Domains Keys (DKIM) on Postfix

This is a quick and fairly painless way of setting up DKIM, on a postfix server. DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message and helps verify that your mail is legitimate. This will help your email not get flagged a spam or fraud, especially if you are doing bulk emailing or important emails.

This tutorial is written for debian, so if using centos the paths to some files may be /etc/mail prefix or similar.
First, install dkim-filters

Debian based
apt-get install dkim-filter

Redhat Based
Enable EPEL
yum install dkim-milter

Setup a domain key for a domain - feel free to setup a few of these if needed
mkdir -p /etc/dkim/keys/$DKIMDOMAIN
cd /etc/dkim/keys/$DKIMDOMAIN
dkim-genkey -r -d $DKIMDOMAIN

If you want an easy web based way check out which also gives you the DNS records.

Create a file /etc/dkim-keys.conf and insert into it a line like this (replacing '' with your own domain)


If you have problems, rename the default.private to just 'default' and use the website mentioned above to generate the keys. I found occasionally the command line generation failed on some distros .

If you used command line then check the file at /etc/dkim/keys/yourdomain/default.txt which will have something like this

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0frgfrefgrweferNYlS+8jyrbAxNsghsPrWYgOQQWI0Ab4e9MT" ; ----- DKIM default for
Yours should be much longer, this was snipped for brevity. You need to add the TXT record default._domainkey with the key between the quotes. If you are using standard bind then you can copy/paste that into the named file.
NOTE: Newer versions use default.private._domainkey
Another TXT record worth adding is
_domainkey IN TXT t=y;o=~;

Now look for and edit your /etc/dkim-filter.conf (Debian based distros may have this in /etc/dkim/dkim-filter.conf ).
You need to have 2 lines like this

KeyList /etc/dkim-keys.conf
Socket inet:8891@localhost

If you use debian you need to also edit /etc/default/dkim-filter and have the socket in there as SOCKET="inet:8891@localhost"

Then restart the DKIM filter
/etc/init.d/dkim-filter restart

Now add the following code into the postifx config. This goes into (/etc/postfix/ )
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Then of course restart postfix

postfix reload

This should now sign emails going out with the domain key, it pays to use this webpage to check things are working .

This entry was posted in Featured, HOWTO and tagged , , , , , , , , , . Bookmark the permalink.

14 Responses to Setting up Domains Keys (DKIM) on Postfix

  1. Pingback: May 2012 RimuHosting newsletter | RimuHosting Blog

  2. Michael says:

    3was:~# apt-get install dkim-filter
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following extra packages will be installed:
    The following NEW packages will be installed:
    dkim-filter libmilter1.0.1
    0 upgraded, 2 newly installed, 0 to remove and 16 not upgraded.
    Need to get 484kB of archives.
    After this operation, 967kB of additional disk space will be used.
    Do you want to continue [Y/n]? y

    I was trying to do this and the first step aborted! I am using Debian an I am not sure how to enable EPEL

    • Liz Quilty says:

      Try using a capitol Y instead of a small one, or just press enter. You will not need to enable EPEL by the looks.

  3. Michael says:

    It keeps saying abort. I do have a Rimu VPS and that is how I found your blog from the email Peter sent out the other day. The OS is Debian Linux 5.0, I know absolutely nothing about Debian Linux or any Linux and I am not even sure if it's the best system for a beginner. Could you recommend a good book with really good step by step instructions on how to run the server using Debian? I would really like to learn a lot more and especially how to set up my email correctly. Thanks :)

    • Liz Quilty says:

      Heya, just pop in a ticket to support and we can take a look at that for you. Let us know what domain it is.

  4. Daniel says:

    Hi Liz, great write up. It's funny I was just looking into DKIM when I ran across your tutorial here. Unfortunately I'm having a little trouble. I tried both the private and the socketlabs site for generating keys and neither one seems to sign keys to the email when I do a check with the brandonchecketts site. Doing a named-checkzone says the zone file is ok, so I'm stumped, any other troubleshooting tips? During the install it did give a warning, something about "one selector and key required for signing mode". So maybe it isn't in signing mode and I need to do another step somewhere? A google search seems like that warning was a bug that's been fix but obviously not.

    • Liz Quilty says:

      Heya Daniel, sounds like the postfix or mta is not signing the emails for some reason. If its on a VPS with us, send us an email and we can take a look at that. If not , check the mail logs for errors, and double check that you have restarted it after adding the configs

  5. LinuxRawkstar says:

    This worked great, except that the DNS entries needed to be "default.private._domainkey" instead of "default._domainkey"... something to do with how the dkim-genkey utility now creates its file names. Took a bit of digging to figure this out, so I wanted to pass the info on to others. Perhaps you should amend the tutorial.

    Thanks for the great howto!

    • Liz Quilty says:

      It depends on how you create its to what name it gives. I think the default action for the command line app is that, but the website option is otherwise. Will leave this comment here as reference for anyone having that problem

  6. I changed the servers OS to Debian 6 and got a lot farther this time but I got this message on the Brandon test.

    Message does not contain a DomainKeys Signature

    1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
    0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
    0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

    • Liz Quilty says:

      Heya, check the config to see if its setting it up as private._domainkeys rather than just _domainkeys (see other comments). If you are a customer of ours just pop in a support ticket, im sure we can sort it for you.

  7. Daniel Black says:

    totally recommend opendkim instead of dkim-[mf]ilter. Its from the same base and the same developers with lots more bug fixes and more advanced filtering if required.

  8. Daniel Black says:

    some final tips: "_domainkey IN TXT t=y;o=~;" had some meaning in the draft RFCs however there was never a final meaning to these.

    The debian opendkim-genkey and possibly dkim-genkey add g=* in the DNS record. RFC6376, the latest DKIM RFC recommends that this is not included (section C.2). for full rfcs.

    rfc6651 also presents some options for feedback reporting by adding r=postmaster where postmaster@{signingdomain} is where feedback is sent. Other options are also in the rfc. for rfcs related to feedback reporting.