Setting up Domains Keys (DKIM) on Postfix

This is a quick and fairly painless way of setting up DKIM, on a postfix server. DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message and helps verify that your mail is legitimate. This will help your email not get flagged a spam or fraud, especially if you are doing bulk emailing or important emails.

This tutorial is written for debian, so if using centos the paths to some files may be /etc/mail prefix or similar.  See also our more recent post which describes an opendkim setup and enables DMARC records.

First, install dkim-filters

Debian based
apt-get install dkim-filter

Redhat Based
Enable EPEL
yum install dkim-milter

Setup a domain key for a domain – feel free to setup a few of these if needed
mkdir -p /etc/dkim/keys/$DKIMDOMAIN
cd /etc/dkim/keys/$DKIMDOMAIN
dkim-genkey -r -d $DKIMDOMAIN

If you want an easy web based way check out which also gives you the DNS records.

Create a file /etc/dkim-keys.conf and insert into it a line like this (replacing ‘’ with your own domain)


If you have problems, rename the default.private to just ‘default’ and use the website mentioned above to generate the keys. I found occasionally the command line generation failed on some distros .

If you used command line then check the file at /etc/dkim/keys/yourdomain/default.txt which will have something like this

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0frgfrefgrweferNYlS+8jyrbAxNsghsPrWYgOQQWI0Ab4e9MT" ; ----- DKIM default for
Yours should be much longer, this was snipped for brevity. You need to add the TXT record default._domainkey with the key between the quotes. If you are using standard bind then you can copy/paste that into the named file.
NOTE: Newer versions use default.private._domainkey
Another TXT record worth adding is
_domainkey IN TXT t=y;o=~;

Now look for and edit your /etc/dkim-filter.conf (Debian based distros may have this in /etc/dkim/dkim-filter.conf ).
You need to have 2 lines like this

KeyList /etc/dkim-keys.conf
Socket inet:8891@localhost

If you use debian you need to also edit /etc/default/dkim-filter and have the socket in there as SOCKET=”inet:8891@localhost”

Then restart the DKIM filter
/etc/init.d/dkim-filter restart

Now add the following code into the postifx config. This goes into (/etc/postfix/ )
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Then of course restart postfix

postfix reload

This should now sign emails going out with the domain key, it pays to use this webpage to check things are working .

14 responses to “Setting up Domains Keys (DKIM) on Postfix”

  1. 3was:~# apt-get install dkim-filter
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    The following extra packages will be installed:
    The following NEW packages will be installed:
    dkim-filter libmilter1.0.1
    0 upgraded, 2 newly installed, 0 to remove and 16 not upgraded.
    Need to get 484kB of archives.
    After this operation, 967kB of additional disk space will be used.
    Do you want to continue [Y/n]? y

    I was trying to do this and the first step aborted! I am using Debian an I am not sure how to enable EPEL

    • Try using a capitol Y instead of a small one, or just press enter. You will not need to enable EPEL by the looks.

  2. It keeps saying abort. I do have a Rimu VPS and that is how I found your blog from the email Peter sent out the other day. The OS is Debian Linux 5.0, I know absolutely nothing about Debian Linux or any Linux and I am not even sure if it’s the best system for a beginner. Could you recommend a good book with really good step by step instructions on how to run the server using Debian? I would really like to learn a lot more and especially how to set up my email correctly. Thanks :)

    • Heya, just pop in a ticket to support and we can take a look at that for you. Let us know what domain it is.

  3. Hi Liz, great write up. It’s funny I was just looking into DKIM when I ran across your tutorial here. Unfortunately I’m having a little trouble. I tried both the private and the socketlabs site for generating keys and neither one seems to sign keys to the email when I do a check with the brandonchecketts site. Doing a named-checkzone says the zone file is ok, so I’m stumped, any other troubleshooting tips? During the install it did give a warning, something about “one selector and key required for signing mode”. So maybe it isn’t in signing mode and I need to do another step somewhere? A google search seems like that warning was a bug that’s been fix but obviously not.

    • Heya Daniel, sounds like the postfix or mta is not signing the emails for some reason. If its on a VPS with us, send us an email and we can take a look at that. If not , check the mail logs for errors, and double check that you have restarted it after adding the configs

  4. This worked great, except that the DNS entries needed to be “default.private._domainkey” instead of “default._domainkey”… something to do with how the dkim-genkey utility now creates its file names. Took a bit of digging to figure this out, so I wanted to pass the info on to others. Perhaps you should amend the tutorial.

    Thanks for the great howto!

    • It depends on how you create its to what name it gives. I think the default action for the command line app is that, but the website option is otherwise. Will leave this comment here as reference for anyone having that problem

  5. I changed the servers OS to Debian 6 and got a lot farther this time but I got this message on the Brandon test.

    Message does not contain a DomainKeys Signature

    1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
    0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
    0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

    • Heya, check the config to see if its setting it up as private._domainkeys rather than just _domainkeys (see other comments). If you are a customer of ours just pop in a support ticket, im sure we can sort it for you.

  6. totally recommend opendkim instead of dkim-[mf]ilter. Its from the same base and the same developers with lots more bug fixes and more advanced filtering if required.

  7. some final tips: “_domainkey IN TXT t=y;o=~;” had some meaning in the draft RFCs however there was never a final meaning to these.

    The debian opendkim-genkey and possibly dkim-genkey add g=* in the DNS record. RFC6376, the latest DKIM RFC recommends that this is not included (section C.2). for full rfcs.

    rfc6651 also presents some options for feedback reporting by adding r=postmaster where postmaster@{signingdomain} is where feedback is sent. Other options are also in the rfc. for rfcs related to feedback reporting.