From ArchWiki
Revision as of 22:26, 16 July 2012 by Xt (talk | contribs)
Jump to: navigation, search

What is it?

DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).

How does it work?

The sender's mail server signs outgoing email with the private key.

The receiver (or his server) gets the signed message, request public key from the domain's DNS and verifies the signature.

So you can check who actually sent this email.

For more info see:


Install opendkim

You may add user for opendkim or use existing one (for example: postfix)

Generic configuration

  • Generate key:
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
  • Create /etc/opendkim/opendkim.conf (see example in the same directory)

Minimal config:

 Domain        ,
 KeyFile                 /path/to/private.key
 Selector                server1
 Socket                  inet:8891@localhost
 UserID                  postfix
  • Add a DNS TXT record with your selector (see Selector in config, you may choose random name) and public key:
server1._domainkey IN TXT "k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y"

p= is your public key, k= the algorithm (rsa by default). There are two possible flags for the t= value: y means testing (unsigned mail is not to be treated as spam/unauthorized), s means the key is not valid for subdomains.

  • Run it with /etc/rc.d/opendkim start or add it to DAEMONS in /etc/rc.conf

Postfix integration

Just add




into or smtpd options in example:

smtp      inet  n       -       n       -       -       smtpd
    -o smtpd_client_connection_count_limit=10
    -o smtpd_milters=inet:

submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_path=smtpd
  -o cyrus_sasl_config_path=/etc/sasl2
  -o smtpd_milters=inet: