Friday, November 28, 2025

Mail Server : Set DKIM

 

Mail Server : Set DKIM

 

Configure DKIM (Domain Keys Identified Mail) in Postfix.

In order to register the generated public key in DNS, you will need the DNS server that registers your email domain.

[1]Install and configure OpenDKIM.
# install from EPEL, CRB

[root@mail ~]# 
dnf --enablerepo=epel,crb -y install opendkim opendkim-tools
# create a directory for the domain you configure DKIM for

[root@mail ~]# 
mkdir /etc/opendkim/keys/srv.world
# generate a key pair
# -D (directory in which to store keys)
# -d (domain name)
# -s (selector name) ⇒ any name you like

[root@mail ~]# 
opendkim-genkey -D /etc/opendkim/keys/srv.world -d srv.world -s $(date "+%Y%m%d")

[root@mail ~]# 
chown -R opendkim:opendkim /etc/opendkim/keys/srv.world

[root@mail ~]# 
ll /etc/opendkim/keys/srv.world

total 8
-rw-------. 1 opendkim opendkim 916 Jul 17 09:45 20240717.private
-rw-------. 1 opendkim opendkim 315 Jul 17 09:45 20240717.txt
[root@mail ~]# 
vi /etc/opendkim.conf
# line 39 : change
# Mode : s = sign
# Mode : v = verify
Mode    sv

# line 92, 99 : comment out
#Selector    default
#KeyFile    /etc/opendkim/keys/default.private

# line 104, 109, 113, 116 : uncomment
KeyTable    /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList    refile:/etc/opendkim/TrustedHosts
InternalHosts    refile:/etc/opendkim/TrustedHosts
[root@mail ~]# 
vi /etc/opendkim/KeyTable
# add to last line
#
# (selector name)._domainkey.(domain name) (domain name):(selector name):(Private Key Path)
#
# if you are handling multiple domains, enter them in the same way

20240717._domainkey.srv.world srv.world:20240717:/etc/dkimkeys/srv.world/20240717.private
[root@mail ~]# 
vi /etc/opendkim/SigningTable
# add to last line
#
# *@(domain name) (selector name)._domainkey.(domain name)
#
# if you are handling multiple domains, enter them in the same way

*@srv.world 20240717._domainkey.srv.world
[root@mail ~]# 
vi /etc/opendkim/TrustedHosts
# possible to add trusted hosts
127.0.0.1
::1
#host.example.com
#192.168.1.0/24
[root@mail ~]# 
systemctl enable --now opendkim

[2]Configure Postfix.
[root@mail ~]# 
vi /etc/postfix/main.cf
# add to last line
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
[root@mail ~]# 
usermod -aG opendkim postfix

[root@mail ~]# 
systemctl reload postfix

[3]Verify the public key for the DNS server registration.
# public key contents

[root@mail ~]# 
cat /etc/opendkim/keys/srv.world/20240717.txt

20240717._domainkey     IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB" )  ; ----- DKIM key 20240717 for srv.world
# the entry in the zone file should be on one line, excluding unnecessary characters

[root@mail ~]# 
sed "s/^\t *//g" /etc/opendkim/keys/srv.world/20240717.txt | sed -z "s/\\n//g" | sed "s/( //g" | cut -d')' -f1

20240717._domainkey     IN      TXT     "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB"
[4]Register the public key on the DNS server.
It will use the example of registering to a BIND zone file.
root@dns:~# 
vi /var/named/srv.world.wan
.....
.....
# add to last line
20240717._domainkey     IN      TXT     "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB"
root@dns:~# 
rndc reload
[5]Check on the mail server side.
[root@mail ~]# 
dig 20240717._domainkey.srv.world. txt
.....
.....

# if the response matches what you registered, that's OK
;; ANSWER SECTION:
20240717._domainkey.srv.world. 86400 IN TXT     "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB"

.....
.....
[root@mail ~]# 
opendkim-testkey -d srv.world -s 20240717 -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '20240717._domainkey.srv.world'
opendkim-testkey: key not secure
opendkim-testkey: key OK
# If [key OK], that's OK
# * [key not secure] is a message about DNSSEC
[6]

Finally, send an email to Gmail and if the header of the received email shows [DKIM: 'PASS' (Domain: srv.world)], then everything is OK.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)