Skip to main content

Learn how DKIM works and how to install it!

Updated over a week ago

Introduction to DKIM

You’re wondering how DKIM works? DKIM (DomainKeys Identified Mail) should be considered a method to verify that the message's content is trustworthy, meaning that it hasn't been altered from the moment it left the initial mail server. This additional layer of trustworthiness is achieved by an implementation of the standard public/private key signing process. Once again, the domain owners add a DNS entry with the public DKIM key, which receivers use to verify that the message's DKIM signature is correct. On the sender's side, the server signs the entitled mail messages with the corresponding private key:

  • when sending an outgoing message, the last server within the domain infrastructure checks against its internal settings if the domain used in the "From:" header is included in its "signing table". If not, the process stops here

  • a new header, called "DKIM-Signature", is added to the mail message by using the private part of the key on the message content

  • from here on, the message *main* content cannot be modified, otherwise the DKIM header won't match anymore

  • upon reception, the receiving server will make a TXT DNS query to retrieve the key used in the DKIM-Signature field

  • the DKIM header check result can then be used when deciding if a message is fraudulent or trustworthy


It works similarly to an SSL certificate. Within the server configuration, a private key is generated, which is used to sign all outgoing emails, while a public key is written in the domain's DNS zone as a TXT record, which deciphers the signature.

This guide is prepared with Ubuntu 22.04 and Postfix installed.

However, it should work with our other Ubuntu versions.

1. Start by updating our system

We can do them by running the update/upgrade command as below:

sudo apt update
sudp apt upgrade

2. Install OpenDKIM and related packages

To install OpenDKIM and its dependencies, use the following command:

sudo apt install opendkim opendkim-tools -y

3. Configure OpenDKIM

Create a directory for OpenDKIM configuration and key files:

sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys

If the file already exists, you will receive the message:

mkdir: cannot create directory â/etc/opendkimâ : File exists

Now, open the main configuration file for OpenDKIM:

sudo nano /etc/opendkim.conf

Adding the following row to the file:

Syslog yes 
UMask 002 
Mode sv C
anonicalization relaxed/simple 
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts 
InternalHosts refile:/etc/opendkim/TrustedHosts 
KeyTable refile:/etc/opendkim/KeyTable 
SigningTable refile:/etc/opendkim/SigningTable 
Socket inet:12345@localhost 
PidFile /var/run/opendkim/opendkim.pid 
UserID opendkim:opendkim 
TemporaryDirectory /var/tmp

To save changes, press CTRL + O Enter, and CTRL + X

Edit the TrustedHosts file to include your local network and mail server:

sudo nano /etc/opendkim/TrustedHosts

We need to add the following lines:

127.0.0.1 
localhost 
191.000.0.1/24 #Replace with your local network 
*.yourdomain.com #Replace with your domain

Edit the KeyTable file to specify the location of your DKIM keys:

sudo nano /etc/opendkim/KeyTable

Add the following line (replace yourdomain.com with your actual domain name):

mail._domainkey.yourdomain.com yourdomain.com:mail:/etc/opendkim/keys/yourdomain.com/mail.private

Edit the SigningTable file to define which domains should be signed.

sudo nano /etc/opendkim/SigningTable

Add the following line:

*@yourdomain.com mail._domainkey.yourdomain.com

4. Generating DKIM keys

You can just navigate to the keys directory and create a directory for your domain:

cd /etc/opendkim/keys 
sudo mkdir yourdomain.com 
cd yourdomain.com

Generate a new DKIM key pair with the command:

sudo opendkim-genkey -s mail -d yourdomain.com 
sudo chown opendkim:opendkim mail.private

It should generate two files:

  • mail.private: The private key used to sign outgoing messages.

  • mail.txt: The public key that will be added to your DNS records.

Here is how it looks on our DNS management system:

5. Configuring Postfix to use OpenDKIM

Edit the Postfix main configuration file to integrate OpenDKIM:

sudo nano /etc/postfix/main.cf

Add the following lines at the file's end:

milter_default_action = accept 
milter_protocol = 6 
smtpd_milters = inet:localhost:12345 
non_smtpd_milters = inet:localhost:12345

Save and close changes with CTRL + O Enter, and CTRL + X

6. Starting and enabling OpenDKIM

You can start the OpenDKIM service and allow it to start on boot:

sudo systemctl start opendkim 
sudo systemctl enable opendkim

Restart Postfix to apply the changes:

sudo systemctl restart postfix

That's it. The installation is completed.

Related Articles
How to redirect non-www to www URLs?
How to install iRedMail on Debian/Ubuntu
[Ubuntu/Debian] Setting Up SPF and DKIM
[Ubuntu] How to install Nginx
How to install GitLab
Did this answer your question?