DKIM (DomainKeys Identified Mail) with Postfix on Ubuntu

[midbar]

Originally published at Moishe Beshkin. You can comment here or there.

Google mail system repeatedly put mail from my domain to spam, I found, that there should be done certain steps in order to fix this problem. The most important and the most effective solution was to sign outcoming e-mails with DKIM signature.
Installation

$ sudo apt-get install opendkim opendkim-tools Setup
Opendkim configuration

In file /etc/opendkim.conf add the following lines:

Domain domain.com KeyFile /etc/postfix/dkim.key Selector dkim ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SignatureAlgorithm rsa-sha256 SigningTable refile:/etc/opendkim/SigningTable
In file /etc/default/opendkim the following lines

RUNDIR=/var/run/opendkim SOCKET=inet:8891@localhost
In file /etc/systemd/system/multi-user.target.wants/opendkim.service

ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost
File /etc/opendkim/KeyTable

dkim._domainkey.domain.com domain.com:default:/etc/opendkim/keys/domain.com/default
File /etc/opendkim/SigningTable

*@domain.com dkim._domainkey.domain.com
File /etc/opendkim/TrustedHosts

127.0.0.1 domain.com Key creation

$ opendkim-genkey -t -s dkim -d domain.com $ sudo mv domain.key /etc/opendkim/keys/domain.com/default Postfix configuration

Configure postfix. In /etc/postfix/main.cf write the following:

milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 Restart services

$ sudo service opendkim restart $ sudo service postfix restart
Note: Replace domain.com with your domain name.
DNS entry

opendkim-genkey generated dkim.txt file. In this file you will find some code. You need to copy line starting with “v=DKIM1;” and will last double quotes. You can omit “h=sha256; k=rsa; t=y;” as they are default

In your DNS management system you need to add following TXT entry

TXT dkim._domainkey.domain.com - [the copied line]
after this you will be able to dig the value

$ dig dkim._domainkey.domain.com txt
After these steps, you will see a running daemon opendkim on port 8891 and Postfix will ask for signature from it. In my case gmail accepts all my e-mails.