Setup DKIM on Postfix with OpenDKIM

April 29, 2012 at 06:50 AM | categories: Postfix, Howto, DKIM, Centos, Email | View Comments


DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

I previously wrote about setting up DKIM using dkim-milter, dkim-milter has since been depreciated.

We will be using the OpenDKIM implementation Centos, OpenDKIM is a fork of dkim-milter.


yum install opendkim

Generate the Keys

opendkim-genkey -d <domain_name> -s <selector>

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

  • .txt - contains the public key you publish via DNS

  • .private - the private key you use for signing your email

Create a sub directory in /etc/opendkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv <selector>.private /etc/opendkim/keys/<domain_name>/<selector>.pem
# chmod 600 /etc/opendkim/keys/<domain_name>/<selector>.pem
# chown opendkim.opendkim /etc/opendkim/keys/<domain_name>/<selector>.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and as the domain_name)

default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa;
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for


Edit /etc/opendkim.conf comment out "KeyFile /etc/opendkim/keys/default.private" and uncomment "#KeyTable /etc/opendkim/KeyTable"

Edit the file /etc/opendkim/KeyTable and add your domain using the following format

<selector>._domainkey.<domain_name> <domain_name>:<selector>:/etc/opendkim/keys/<domain_name>/<selector>.pem

Add your servers IP addresses to /etc/opendkim/TrustedHosts

More advanced configuration options can be set in the file /etc/opendkim.conf

Configure Postfix

You need to add the following options to the postfix file to enable it to use the milter.

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Append the OpenDKIM options to the existing milters if you have other milters already configured.

Start OpenDKIM and restart postfix

# service opendkim start
# service postfix restart


Send an email to or, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

DKIM signed mail in google

blog comments powered by Disqus