If mails from your web-server/webapp is having delivery issues, DKIM (DomainKeys Identified Mail) can help you big time.

Its highly recommended to use DKIM for outgoing emails even if your server is not running any kind of mail-hosting.

Install DKIM

apt-get install opendkim opendkim-tools

Edit Config files

DKIM config

Open dkim config fileย vim /etc/opendkim.conf

Add following lines towards end. Make sure you replace example.com with your domain/subdomain.

Domain                  example.com
KeyFile                 /etc/postfix/dkim.key
Selector                mail
SOCKET                  inet:8891@localhost

Next open dkim defaults fileย vim /etc/default/opendkim

Change default socket path by adding a line like below:

SOCKET="inet:8891@localhost"

Postfix file

Open postfix main config fileย vim /etc/postfix/main.cf

Add following lines towards end.

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

DKIM Key Generation

Run following commands with mailย and example.comย matching values used in /etc/opendkim.confย file in earlier step.

opendkim-genkey -t -s mail -d example.com

This command will generate mail.private and mail.txt file. mail.private is private key that will be used to sign outgoing emails. Move it to the location we specified earlier inย /etc/opendkim.conf

cp mail.private /etc/postfix/dkim.key

DNS Record Setup

Next, you need to create a TXT record on DNS end.ย Just check content of mail.txt file created by opendkim-genkey command we ran above.

cat mail.txt

You will see something like below:

mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com

TXT record will require NAMS & VALUE.

Useย mail._domainkeyย for NAME and long string in quotes starting from v=DKIM1 as VALUE.

Below is a sample screenshot for a TXT record. User-interface on your end might differ.

TXT-DKIM record-1

If you are editing a previous DNS record, it might take sometime for changes to propogate.

Start Signing

Once al config & setup done, you need to start DKIM service and restart postfix.

service opendkim start
service postfix restart

Testing DKIM setup for correctness

Anything we do, specially for first time, must end with successful testing!

There are many tools for testing. I will mention few of them below.

Verify DNS Records for DKIM Setup

This will ONLY verify if your TXT record is created successfully.

dig command

Classic and easy. You must be having this already. Running…

dig mail._domainkey.example.com TXT

should return a response like…

;; ANSWER SECTION:
mail._domainkey.exmaple.com. 86400 IN	TXT	"v=DKIM1\;" "k=rsa\;" "t=y\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB"

Web-based Record Check

You can useย http://www.protodave.com/tools/dkim-key-checker/

Use selector ย mail and domain example.comย there.

Verify DKIM Signing

Test #1 – Email-based

If you have setup keys correctly then you should pass this test.

You can test by simply sending an email to autorespond+dkim@dk.elandsys.comย orย check-auth2@verifier.port25.com

It’s better to use swaks tools for mail-testing (apt-get install swaks).

swaks -t check-auth2@verifier.port25.com -f me@example.com

Replaceย me@example.com with your mail id where you would like to receive test results.

Test #2 – Web-based

Better choice will be to use a service like http://www.mail-tester.com/ย  which gives you a temporary email ID and web-interface to see what happens to the email on receiving end!

For WordPress, its better to test using Check Email plugin as you will get better picture of what happens to mail sent from WordPress!

11 comments

  1. Good day

    I used

    Domain *
    KeyFile /etc/postfix/dkim.key
    Selector mail

    in /etc/opendkim.conf to use the same key for multiple domains

    https://help.ubuntu.com/community/Postfix/DKIM#Common_errors_and_fixes
    and added “no_milters” to /etc/postfix/master.cf

    made this line:
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

    look like:
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

    This prevented opendkim signing messages twice.

    I am curious whether this is sane or not. Remember laziness counts!

    Enjoy your day and thank you for your time.

    1. I never used DKIM like above but in another use-case, I used no_milter to avoid double processing.

      If it’s working, it must be fine! ๐Ÿ˜‰

  2. Thanks so much. I was stuck with other tutorials at entering the Information into DNS.
    Helped me great!!

  3. Hi there! I followed your setup to the letter and I am no longer able to send mails. I get a transport error on the Milter serve. Have you got any idea why?

    “postfix/cleanup[3127]: warning: invalid transport name: “inet in Milter service: “inet:localhost:8891″”

      1. Ok So I reset all the config and now it’s working. However, I have another blockage: when I do a HELO test via smtp on the server side (i.e. telnet localhost 25) I can send mails. However, I added my distant application site to mynetworks in order to allow smtp relays. The problem is that the HELO test seems to go well and the message is queued, but the server does nothing. The log file gives no error message either… Any idea?

  4. t=y in DKIM Key enables test mode, so even if you have DKIM, you are telling it to ignore. Also you can see the mails, you’ll get test mode in it. (when you click show original, it displays dkim =pass (test mode) ).
    Ref; http://goo.gl/j3Fjbp, http://goo.gl/sbSI82

Comments are closed.