DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signers public key published in the DNS. In technical terms, DKIM is a technique to authorize the domain name which is associated with a message through cryptographic authentication.

We use OpenDKIM for signing our outgoing mails and verifying any incoming mails. OpenDKIM is a mail-filter (aka “milter”) for Postfix.


OpenDKIM is in the Ubuntu software package repository:

$ sudo aptitude install opendkim opendkim-tools

The package installs …

  • The system user and group opendkim

  • The configuration files /etc/opendkim.conf and /etc/default/opendkim

  • The system service opendkim in the /etc/init.d directory

  • A runtime directory /var/run/opendkim/ for the PID file and UNIX socket.

  • Various binaries and tools in /usr/bin:
    • opendkim

    • opendkim-atpszone

    • opendkim-genkey

    • opendkim-genzone

    • opendkim-spam

    • opendkim-stats

    • opendkim-testadsp

    • opendkim-testkey

    • opendkim-testmsg


Allow Access for Postfix

To allow our Postfix MTA to interact with OpenDKIM, the user running postfix needs access to some OpenDKIM files, especially the UNIX socket path to connect with OpenDKIM. This can be achieved by adding the postfix user to the opendkim group:

$ usermod -g mail opendkim

Create Signing Keys

Mails sent out trough our mail-server will be signed using 1024bit RSA keys. So receiving mail-servers can verify that they have been sent by us and nobody has tampered with them along the way.

To create those RSA keys the opendkim-genkey tool can be used:

$ opendkim-genkey --directory=/etc/mail --selector=${HOSTNAME} --testmode

Configuration File

Configuration is in the file /etc/opendkim.conf and described in the manpage opendkim.conf(5)

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog			yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask			002

# Sign for with key in /etc/mail/dkim.key using
# selector '2007' (e.g.
KeyFile			/etc/mail/dkim.key
Selector		mail

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization	simple
#Mode			sv
#SubDomains		no
#ADSPAction            continue

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders		From

# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)