Introduction
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails, a technique often used in phishing and email spam. DKIM allows an organization to claim responsibility for a message in a way that can be validated by the recipient. OpenDKIM is an open-source implementation of the DKIM specification that is widely used to add this layer of security to email systems.
This guide will walk you through the steps of installing and configuring OpenDKIM on an Ubuntu server. We will cover the installation process, configuration details, integration with the Postfix mail server, and testing to ensure everything is set up correctly.
Prerequisites
Before we begin, ensure that you have the following:
- An Ubuntu server (20.04 LTS or later).
- Root or sudo access to the server.
- A domain name and control over DNS settings.
- Postfix installed and configured on your server.
Step 1: Update System Packages
Start by updating the package lists on your Ubuntu server to ensure you have the latest versions available.
$ sudo apt update
$ sudo apt upgrade -y
Step 2: Install OpenDKIM and Related Packages
Next, install OpenDKIM and its dependencies using the following command:
$ sudo apt install opendkim opendkim-tools -y
Step 3: Configure OpenDKIM
Create OpenDKIM Configuration Directory
Create a directory for OpenDKIM configuration and key files.
$ sudo mkdir /etc/opendkim
$ sudo mkdir /etc/opendkim/keys
Configure OpenDKIM
Open the main configuration file for OpenDKIM.
$ sudo nano /etc/opendkim.conf
Add the following configuration settings to the file:
Syslog yes
UMask 002
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:12345@localhost
PidFile /var/run/opendkim/opendkim.pid
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
Configure Trusted Hosts
Edit the TrustedHosts file to include your local network and mail server.
$ sudo nano /etc/opendkim/TrustedHosts
Add the following lines:
127.0.0.1
localhost
192.168.0.1/24 # Replace with your local network
*.yourdomain.com # Replace with your domain
Configure Key Table
Edit the KeyTable file to specify the location of your DKIM keys.
$ sudo nano /etc/opendkim/KeyTable
Add the following line (replace yourdomain.com
with your actual domain name):
mail._domainkey.yourdomain.com yourdomain.com:mail:/etc/opendkim/keys/yourdomain.com/mail.private
Configure Signing Table
Edit the SigningTable file to define which domains should be signed.
$ sudo nano /etc/opendkim/SigningTable
Add the following line:
*@yourdomain.com mail._domainkey.yourdomain.com
Step 4: Generate DKIM Keys
Navigate to the keys directory and create a directory for your domain.
$ cd /etc/opendkim/keys
$ sudo mkdir yourdomain.com
$ cd yourdomain.com
Generate a new DKIM key pair using the following command:
$ sudo opendkim-genkey -s mail -d yourdomain.com
$ sudo chown opendkim:opendkim mail.private
This will generate two files:
mail.private
: The private key used by OpenDKIM to sign outgoing messages.mail.txt
: The public key that will be added to your DNS records.
Step 5: Add DKIM Public Key to DNS
Open the mail.txt
file and copy its contents.
$ cat mail.txt
You will see something like this:
mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmt+8iyK2xwLth..."
Log in to your DNS provider and create a new TXT record with the following details:
- Name:
mail._domainkey
- Type:
TXT
- Value: (Paste the content from the
mail.txt
file)
Step 6: Configure Postfix to Use OpenDKIM
Edit the Postfix main configuration file to integrate OpenDKIM.
$ sudo nano /etc/postfix/main.cf
Add the following lines at the end of the file:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
Save and close the file.
Step 7: Start and Enable OpenDKIM
Start the OpenDKIM service and enable it to start on boot.
$ sudo systemctl start opendkim
$ sudo systemctl enable opendkim
Restart Postfix to apply the changes.
$ sudo systemctl restart postfix
Step 8: Test Your Configuration
Send a Test Email
Send a test email to an external email address (e.g., Gmail or Yahoo) to check if DKIM signing is working.
Check Email Headers
After receiving the test email, check the email headers for the DKIM-Signature
header. This header indicates that the email has been signed by OpenDKIM.
Verify DKIM Signature
Use an online DKIM verification tool (e.g., DKIMCore, MXToolbox) to verify the DKIM signature. Enter the selector (mail
) and your domain (yourdomain.com
) to check if the public key is correctly configured in your DNS.
Troubleshooting
Check OpenDKIM Logs
If you encounter issues, check the OpenDKIM logs for error messages.
$ sudo journalctl -u opendkim
Ensure Correct Permissions
Ensure that the opendkim
user has the correct permissions for the key files.
$ sudo chown -R opendkim:opendkim /etc/opendkim/keys
Validate DNS Configuration
Double-check your DNS records to ensure the DKIM public key is correctly added.
Restart Services
If changes are made to the configuration files, restart the OpenDKIM and Postfix services.
$ sudo systemctl restart opendkim
$ sudo systemctl restart postfix
Conclusion
Setting up DKIM with OpenDKIM on an Ubuntu server enhances your email security by verifying the authenticity of your emails. By following the steps outlined in this guide, you can successfully install, configure, and integrate OpenDKIM with your Postfix mail server. Regularly monitor and update your DKIM keys and DNS records to maintain a secure email environment.