Server administration Setting Up a Mail Server from Scratch – Part 5: OpenDKIM Configuration

D•Jass · Monday at 3:17 PM

OpenDKIM Configuration

OpenDKIM is used to sign outgoing emails using a DKIM key, improving deliverability and sender reputation.

5.0. Obtaining a DKIM Key (Choose ONE method)

Method A: Generate a New Key
If you don't have a DKIM key yet, generate one:

mkdir -p /etc/postfix/dkim
cd /etc/postfix/dkim

Generate the key (selector: mail, domain: example.com)
opendkim-genkey -b 2048 -s mail -d example.com

Set correct permissions
chown opendkim:opendkim mail.private
chmod 600 mail.private

Show public DNS record
cat /etc/postfix/dkim/mail.txt

You will see a TXT record that needs to be added to your DNS zone
as a TXT record for [INLINE]mail._domainkey.example.com[/INLINE].

Method B: Use an Existing Private Key

If you received a DKIM private key from a hosting provider:

mkdir -p /etc/postfix/dkim
cp /path/to/your/provided.private /etc/postfix/dkim/mail.private
chown opendkim:opendkim /etc/postfix/dkim/mail.private
chmod 600 /etc/postfix/dkim/mail.private

Make sure the associated DNS record for the public key is already in place.

5.1. Configure /etc/opendkim.conf

This is the main configuration file for OpenDKIM:

Syslog yes
LogWhy yes

UMask 007
UserID opendkim:opendkim
PidFile /run/opendkim/opendkim.pid
Canonicalization relaxed/simple

Domain example.com
KeyFile /etc/postfix/dkim/mail.private
Selector mail

Socket inet:8891@127.0.0.1

KeyTable refile:/etc/opendkim/keytable
SigningTable refile:/etc/opendkim/signingtable

ExternalIgnoreList refile:/etc/opendkim/trusted.hosts
InternalHosts refile:/etc/opendkim/trusted.hosts

RequireSafeKeys yes

5.2. Create /etc/opendkim/keytable

This file maps DKIM selectors to the private key file:

mail._domainkey.example.com example.com:mail:/etc/postfix/dkim/mail.private

5.3. Create /etc/opendkim/signingtable

Defines which emails/domains should be signed with which key:

*@example.com mail._domainkey.example.com

5.4. Create /etc/opendkim/trusted.hosts

Trusted hosts that will skip DKIM verification (usually just localhost):

127.0.0.1
::1
localhost

Add internal IP ranges if needed:
192.168.0.0/24

5.5. Ensure OpenDKIM Runtime Directory Exists

mkdir -p /run/opendkim
chown opendkim:opendkim /run/opendkim

5.6. Restart OpenDKIM

systemctl restart opendkim

Check if it’s listening on port 8891:
ss -lntp | grep 8891

You can also check logs with:

journalctl -u opendkim

Server administration Setting Up a Mail Server from Scratch – Part 5: OpenDKIM Configuration

D•Jass

OpenDKIM Configuration​

5.0. Obtaining a DKIM Key (Choose ONE method)​

5.1. Configure /etc/opendkim.conf​

5.2. Create /etc/opendkim/keytable​

5.3. Create /etc/opendkim/signingtable​

5.4. Create /etc/opendkim/trusted.hosts​

5.5. Ensure OpenDKIM Runtime Directory Exists​

5.6. Restart OpenDKIM​