Written by Update! RPMs and Yum now available.
I now build and maintain pre-built RPM packages of OpenDKIM for RHEL/CentOS and Fedora, which are available with Yum. For a much quicker and easier way to install OpenDKIM, read this.
Or, if you still prefer to go old-skool and compile your own binaries from source, or if you’re building on a non-RedHat system, the following instructions will still work fine… they just require more effort. If you want to build your own RPMs, you can also download SRPMs for OpenDKIM.
Build Your Own OpenDKIM Binaries
If you’d like to get DKIM working on an RHEL or CentOS box running Postfix, here’s how to do it (I’ve also verified these same steps work on a Fedora box). I had previously used dkimproxy, and had unsucessfully tried dkim-milter before making the switch to OpenDKIM. Both other methods may work for some, but OpenDKIM is the most current and the easiest way to get DKIM working so that’s what I recommend now.
For more information about DKIM and why you want to be running it on your mail server, check out http://www.dkim.org/. Now, on with the show!
Before you start
This tutorial assumes the following:
- You are running a “modern” RedHat-compatible Linux distro (RHEL 5, CentOS 5, Fedora, etc). I was running CentOS 5.5 when I did this.
- You are running Postfix 2.3.3 or better (do postconf -d mail_version to check).
- Your Postfix configuration is currently working (this is very important – you don’t want to troubleshoot two programs at once).
- Sendmail is turned off (do service sendmail status to verify).
- The necessary commands in this tutorial are done as root. If you don’t know what that means, then you probably shouldn’t be doing this. You may be able to get away with just using sudo, but I wanted to make sure I didn’t run into any path issues, so I do it as root.
Of course, these steps will probably work with slighter earlier or slightly later versions of RHEL/CentOS and/or Postfix, but those are the versions I used to get DKIM working (update: I now run Postfix 2.8 on a few of my servers just fine with this setup).
Download and install OpenDKIM
Go to http://www.opendkim.org/ and hit the Download link to download the software. Save it to /usr/local/src on your server. For this HowTo, I used OpenDKIM version 2.4.2, which was released on August 6, 2011.
You’ll also need to install the OpenSSL and Sendmail development packages, because they contain some secret herbs and spices (otherwise known as “libraries”) you need to get OpenDKIM working. Do:
yum install sendmail-devel openssl-devel
Extract, configure, compile, and install OpenDKIM with:
tar zxvf opendkim-2.4.2.tar.gz cd opendkim-2.4.2 ./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var make make install
Note that the ./configure command includes a few very important flags, which will be passed into the startup script that’s created when the configure command runs. The first tells the system where OpenDKIM’s conf file will be located, the second sets the preferred prefix for some other important file locations, and the final one controls the directory where the PID file for OpenDKIM will be stored. If none of this makes any sense to you, that’s ok – just be sure to use those flags when you run configure, since they are the settings used throughout this tutorial.
Also, it’s important to note that the make install command must be performed as root (or using sudo), since it needs to install files files in the /usr/local/bin directory.
Create a new user and home directory
Add a new user for DKIM called opendkim with the following options:
useradd -r -g opendkim -G mail -s /sbin/nologin -d /var/run/opendkim -c "OpenDKIM" opendkim
This command will:
- create a new system account (-r) and group (-g) called opendkim,
- create a home directory (-d) for the new user in /var/run/opendkim,
- also add the opendkim to the mail group (-G),
- assign no shell access to this user (-s), and
- set the account comment to “OpenDKIM (-c).
While the proper permissions for this account’s home directory should be set when the user is created, to avoid any permissions issues in further steps, it doesn’t hurt to manually set them with:
chown opendkim:opendkim /var/run/opendkim
then:
chmod 700 /var/run/opendkim
Create working directories
Make some new directories for OpenDKIM and give them the proper ownership and permissions with:
mkdir -p /etc/opendkim/keys chown -R opendkim:opendkim /etc/opendkim chmod -R go-wrx /etc/opendkim/keys
Copy the startup script to /etc/init.d/
Starting with version 2.3.0, OpenDKIM’s source package includes a contrib directory that contains a custom init script (written by yours truly) for use with all RedHat-compatible systems, including Fedora and CentOS. You can copy it to your /etc/init.d/ directory to make starting, stopping, restarting, and reloading OpenDKIM easy. Just do:
cp /usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim /etc/init.d/
Now set the correct permissions for the init script with:
chmod 755 /etc/init.d/opendkim
Generate keys for signing
Now you’re getting to the good part. You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away from prying eyes on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail. If you’re hard-core, you can build the keys manually. Or, you can use the fancy script included with OpenDKIM to do it for you. I’ve manually generated enough keys in my life and have nothing to prove, so I use the script. 
Before running this script, decide now what the name of your selector is going to be. A selector is a unique keyword that is associated with both keys (public and private), included in all the signatures, and published in your DNS records. For simplicity, I use the word default as my default selector. Not very creative, but it’s effective. Feel free to choose something different, but if you do, you’ll need to use it consistently throughout your setup. Also, while this should go without saying, you should use your mail domain instead of example.com throughout the following steps.
Create your keys with:
mkdir /etc/opendkim/keys/example.com /usr/local/bin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default chown -R opendkim:opendkim /etc/opendkim/keys/example.com mv /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/example.com/default
You can do a man opendkim-genkey if you’re interested in what additional options are available when creating your keys. In this example, I used the -D (directory) option, the -d (domain) option, and the -s (selector) options. That’s all you need to get this going.
Edit configuration files
You’re getting really close now. You need to create or edit four files:
- /etc/opendkim.conf – OpenDKIM’s main configuration file
- /etc/opendkim/KeyTable – a list of keys available for signing
- /etc/opendkim/SigningTable - a list of domains and accounts allowed to sign
- /etc/opendkim/TrustedHosts – a list of servers to “trust” when signing or verifying
Use your favorite text editor to create an /etc/opendkim.conf file that looks like this:
## ## opendkim.conf -- configuration file for OpenDKIM filter ## AutoRestart Yes AutoRestartRate 10/1h Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost Syslog Yes SyslogSuccess Yes TemporaryDirectory /var/tmp UMask 022 UserID opendkim:opendkim
You can do man opendkim.conf for more information on each of the options.
Next, you’ll need to create the three text files that you just mentioned in your config file. First, using your favorite text editor, create an /etc/opendkim/KeyTable file that looks like this:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default
The KeyTable file tells OpenDKIM where to find your keys. Each entry in the KeyTable file is a single line for each key location (for example, all of the text in the above example should be on a single line in your file). If you’re going to use multiple keys (to sign mail for virtual domains with different keys, for example), you’ll need to create a separate line in the KeyTable file for each domain.
Next, create an /etc/opendkim/SigningTable file that looks like this:
*@example.com default._domainkey.example.com
The SigningTable file tells OpenDKIM how to use your keys, as in which senders should use which selectors for their signatures. In the above example, I’m saying that everyone (*) sending mail from the server “example.com” should use the selector named “default.” It’s important to note that the * wildcard symbol will only work if the SigningTable option uses the refile: prefix before the filename (see the opendkim.conf documentation for more details).
Now create an /etc/opendkim/TrustedHosts file that looks like this:
127.0.0.1 hostname1.example1.com hostname2.example1.com example1.com hostname1.example2.com hostname2.example2.com example2.com
The TrustedHosts file tells OpenDKIM who to let use your keys. Because it’s referenced by the ExternalIgnoreList directive in your conf file, OpenDKIM will ignore this list of hosts when verifying incoming mail. And, because it’s also referenced by the InternalHosts directive, this same list of hosts will be considered “internal,” and OpenDKIM will sign their outgoing mail.
IMPORTANT: Make sure you list the IP address for localhost (127.0.0.1) in the TrustedHosts file or OpenDKIM won’t sign mail sent from this server. If you have multiple servers on the same network that relay mail through this server and you want to sign their mail as well, they must be listed in the TrustedHosts file. Put each entry on its own line. An entry can be a hostname, domain name (e.g. “example.com”), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. “192.168.1.0/24″).
It should also go without saying (but I’ll say it anyway) that if you’re planning to sign outgoing mail for remote hosts, your Postfix should have been previously configured to allow relaying for those hosts, as “explained” here… although, when referring to Postfix’s programmer-centric documentation, I generally use the term “explain” very loosely. 
Edit your Postfix configuration
Now you’re ready to add the following lines to your Postfix main.cf file, which will make Postfix aware of OpenDKIM and allow it to sign and verify mail:
smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept
If you’re running a version of Postfix prior to 2.6, you may also need to add:
milter_protocol = 2
See http://www.postfix.org/MILTER_README.html#version for more info.
Start OpenDKIM and restart Postfix
It’s time to fire things up! Assuming you’re using bash, do:
hash -r
to rehash your shell so you can find the init script.
Now start OpenDKIM with:
service opendkim start
You should get a message that says:
Starting OpenDKIM Milter: [ OK ]
However, if you get an error message such as:
Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 6: unrecognized parameter
don’t freak out. You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this HowTo. Then try starting up OpenDKIM again.
Once it starts, refresh Postfix with:
postfix reload
If everything looks good, I recommend running chkconfig on OpenDKIM to make sure it starts when you boot your server:
chkconfig --level 2345 opendkim on
If things didn’t go right, try some of these startup troubleshooting tips before moving on.
Startup troubleshooting tips
Tip 1: The best advice I can give when troubleshooting any mail issues (including OpenDKIM) is to start a second shell session in another window and do:
tail -f /var/log/maillog
while you’re starting, stopping, and/or restarting OpenDKIM and Postfix. This allows you to see more details about any errors in your configuration.
Tip 2: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn’t getting signed and you want to know why, this should tell you.
Tip 3: If you can’t get things working on your own, I recommend subscribing to the OpenDKIM-Users discussion list at http://lists.opendkim.org/. It’s a low-traffic list with very helpful and friendly members (including me!) who are happy to nudge you in the right direction.
Adding DNS Records
Now that your mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed. Do:
cat /etc/opendkim/keys/example.com/default.txt
The output should look something like this:
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB" ; ----- DKIM default for example.com
If you manage your own DNS or have full access to your domain’s zone file, you’ll need to paste the entire contents of the default.txt file at the bottom of your domain’s zone file. If you’re using a web interface to manage your zone file, be careful that the long lines of the public key don’t wrap and create line-feed characters (or fix them if they do). Otherwise, your public key won’t work.
If you’re using GoDaddy’s Total DNS, the TXT Name would default._domainkey and the TXT Value would be everything inside the quotes (starting with v=). You can ignore the semi-colon and comments at the end.
If you’re using some other third-party DNS provider, follow their instructions for adding a new TXT Record.
You should also add another TXT Record to your zone file that reads:
_adsp._domainkey.example.com IN TXT "dkim=unknown"
This record publishes your Author Domain Signing Practices. “Unknown” is the least strict setting, and the best place to start. You can learn more and tinker with other options later, but most people just use “Unknown” for now, since ADSP is relatively new (as of the writing of this post).
And, as long as you’re messing with your domain’s zone file, now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.
Testing Things Out
As I mentioned in my troubleshooting tips, the best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file. Do a:
tail -f /var/log/maillog
When OpenDKIM starts (or restarts), you should see lines like:
opendkim[4397]: OpenDKIM Filter: mi_stop=1 opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0 opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf)
When you send a mail that gets successfully signed, you should see:
opendkim[22254]: 53D0314803B: DKIM-Signature header added
The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services. My favorites are:
- Brandon Checketts Email Validator
- Send a signed email to: autorespond+dkim@dk.elandsys.com
- Send a signed email to: sa-test@sendmail.net
- Send a signed email to: check-auth@verifier.port25.com
- (you can put all of the test email addresses in the To: field of a single outgoing message to test)
Each of these will tell you if things are working properly, and give you some pointers on troubleshooting if needed.
If you have a Gmail account, you can also send a signed message there for a quick and easy test. address Here’s what a signed message in Gmail will look like:
Look, Ma! My emails have DKIM Signatures!
The signed by: line tells you that the message has been verified as signed by the sender (you may need to press the show details link near the top of the message to see it). I like to click the Show Original link (under the Reply drop-down on the right) to see the signed headers in all their glory.
Further reading
I have to admit that there wasn’t a whole lot of publicly available information on getting OpenDKIM working with Postfix. Hopefully, this HowTo will make it easier for you than it was for me.
- DKIM.org – the official site for DomainKeys Identified Mail
- OpenDKIM Project Site – the program I used to get DKIM working
- Sendmail DKIM – a detailed article from Eland Systems about DKIM. They use the dkim-milter package, upon which OpenDKIM is based. I much prefer the newer OpenDKIM, but this article explains DKIM very well and has some good tips.
- Mail-DKIM and DKIM-proxy – my first experiments with DKIM were with these tools. I never got it working quite right, but there’s lots of good info there.
- OpenSPF.org – not technically related to DKIM, but it’s another spam-fighting technique that you should be using if you’re sending email
Good luck! Pease post in the comments with your successes, questions, or suggestions.
Upgrading OpenDKIM
If you’ve followed this guide to compile and install OpenDKIM, and would like to upgrade to a newer version, simply download the updated version (using the download link above), then repeat these steps:
tar zxvf opendkim-2.4.2.tar.gz cd opendkim-2.4.2 ./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var make make install
This will upgrade your OpenDKIM and keep your existing configuration intact. Remember to restart OpenDKIM after your upgrade with:
service opendkim restart
Do:
tail -f /var/log/maillog
to verify that the newer version started up with no problems.
Related posts:
- How to get DKIM and DomainKeys working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM and dk-milter
- Installing OpenDKIM RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora)
- DKIM Proxy Install on CentOS 5.4
- Building Postfix 2.8 on RHEL5 / CentOS 5 from Source
- Tips for installing Amavis-new, ClamAV, and SpamAssassin using Postfix on Fedora 12
Glad you got it working, Alex! I’ve updated the article to specifically state that all the text in the example should be on a single line. Thanks for the feedback!
Hi I’ve successfully setup opendkim thanks for the guide it helps a lot. I have question I have to domain mail.example.com mail2.example.com both in different machine. I’ve creative another mail server for sending bulk messages I’ve setup everyting how ever I have error on full header view multiple domain keys. I was wondering how can I use other default keys to another machine so that I will have 1 domain keys on my domain server?
Hi Johnny I used zimbra it’s work for no problem with protocol 2…. makes sure you upgrade yon zimbra to new version
How to allow external ip to be sign by our smtp server?
If the server with the external IP shares the same domain, just add the IP to the InternalHosts file. If it’s a separate domain, then you’ll also have to create an additional set of keys and add the appropriate info for that domain to the keyTable and signingTable.
Hi Steve, thanks for the reply just to clarify if I have 1 domain… example.com and mail.example.com for dedicated for sending mail. and all my web server is sending email such as notification, transaction, mailing list, events, news letters etc. do I need to create separate dkim for webserver? All server is within same IP range. All webserver is http://www.example.com. Ahhh I more also sometimes we send email thru our office and it’s different IP range and no domain should I create new dkim for our IP in our office?
DKIM signatures are associated with the domain, so you can use the same one for multiple subdomains!
But you can’t sign messages sent from a machine that has no domain. Again, DKIM is associated with a domain, so it needs one in order to verify on the receiving end.
Thanks steve, guess I need to make new sud domain for our office to…
Steve,
I have been trying to setup OpenDKIM on another server for a friend since you helped me via this tutorial successfully set it up on mine. Anyway, it went much smoother this time. All is working, however, it is not signing emails for alex@domain.com. The log says that there is no signing table match for ‘alex@domain.com’. I checked the signing table and I have “*@domain.com default._domainkey.domain.com” on one line and this is the only line. I also use default as my selector. I have been reading the opendkim mail list and I can’t seem to find the answer to my problem. According to the signing table information I can’t figure out why it will not sign for alex@domain.com if I clearly have *@domain.com. Anyway, I was hoping you could help.
Hi, Alex. Sorry to hear you’ve having problems. Are you certain that the mail program (MTA) isn’t using a subdomain when sending? The domain address in the signing table needs to match the domain address in the Return-Path: header of your email.
I’m assuming that something like that must be the problem. I would bet that if you added a second line to your signing table that said: “alex@domain.com default._domainkey.domain.com” you’d still get the same error.
If you’re still having trouble, subscribe to the OpenDKIM-users mailing list and post the results of the test addresses (or Brandon’s test website). That can be very helpful in tracking down what’s wrong.
Steve, thanks for the quick reply and for pointing me in the right direction. Apparently, text case in the log is different than what is actually sending. The email was set up in the client like this “alex@DomainName.com”. Sends email fine, however, DKIM doesn’t like the change in case and the log was coming back “no signing table match for alex@domainname.com and so I was not able to figure out the problem until I checked his mail client setup. Anyway, thanks for pointing me in the right direction. I really appreciate what you are doing here.
@Alex: Ah – yes, case does matter with OpenDKIM 2.2.2. However, the newer version of OpenDKIM (v2.3.0 – which is still in beta, so I’m waiting until it’s released to update the blog post) allows upper or lower case. Glad to hear you got it going!
Thank you!
This guide worked perfectly on my Plesk 10 / PostFix / Centos5 rig.
I love you!!!
Glad to hear it, Bhupinder. Much love back atcha.
Well, I dont get this working. Have spent many hours in getting opendkim to work with plesk. I have two postfix profiles on plesk (old config). The one I want to get opendkim working, I’ve removed the 10025/6/7 lines from master.cf (since those refer to plesk filters). and put in the settings in main.cf. But the milter does not get applied, nothing in the log at all.
are you sure I dont have to get any setting modified in master.cf for this to work? the lines in master.cf are:
smtp inet n – - – - smtpd -o smtpd_proxy_filter=127.0.0.1:11025
pickup fifo n – - 60 1 pickup -o content_filter=smtp:127.0.0.1:11027
127.0.0.1:11025 inet n n n – - spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11027 before-queue
127.0.0.1:11026 inet n – - – - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks
127.0.0.1:11027 inet n n n – - spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11026 before-remote
plesk_saslauthd unix y y y – 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db
smtps inet n – - – - smtpd -o smtpd_proxy_filter=127.0.0.1:11025 -o smtpd_tls_wrappermode=yes
submission inet n – - – - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:11025
only putting in the lines that put in the default domainkeys from plesk. (which does not get validated on brandonchecketts, saying wrong RSA, since diff public keys are present on both domains). the server hosts multiple domains on diff IP.
Hi, Pradeep. I have no experience with Plesk, and so I’m not going to be any help in trying to troubleshoot how it interacts with OpenDKIM. As far as a straightforward OpenDKIM install on Postfix, no – you don’t need to touch master.cf. If you’re still having trouble, I recommend joining the OpenDKIM-users mailing list at opendkim.org and presenting the issue there. There’s a very active group on that list (including the main developer) who will be happy to troubleshoot.
Further debugging in the logs with higher level, I got to know that a typo in the SigningTable file was hindering the email to match the email pattern. And later that the opendkim key file perms were restrictive. It now works with the separate postfix directory profile. Of course, I had to change all the plesk 10025/10026/10027 filters and spawns. No changes for opendkim were needed in master.cf, just like Steve wrote. I need to see if this is fine or I need to get domainkeys as well.
Good to hear! Forget about DomainKeys. They’re being phased out. DKIM is the replacement, and it’s all you need.
Hey,
This tutorial made my life easier and I really appreciate you taking the time to write it! +1 good Karma for you!
I’m breaking my head here.. all email get signed but I get the following error: Details: public key: unsupported version
Google results for this error show that your DNS records are probably incorrect. I’d triple-check those.
Hi Steve, can you please explain then I verified my setup on opendkim I have this result.
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
I tried to send email to yahoo and check full header I got this on yahoo result
Authentication-Results: mta1022.mail.sk1.yahoo.com from=ronald.com; domainkeys=neutral (no sig); from=auction.ph; dkim=permerror (future timestamp)
dkim=permerror?
If you Google “dkim=permerror (future timestamp)” you’ll see that this error is most likely a result of your server’s clock being incorrect. Install an NTP client and make sure you’re syncing daily.
If anyone here is using this to configure DKIM with Amazon SES (their email service), this guide works with the following addendum:
In the file “/etc/opendkim.conf” add:
OmitHeaders Message-Id,Date,Return-Path,Bounces-To
i’m getting the mail sitting in the postfix queue with the error
it sends if i take out the Postfix configuration
any ideas?
Hmm… even if OpenDKIM isn’t running, it will just log a warning and Postfix will still send. Is Postfix running properly otherwise?
both postfix and OpenDKIM are running without errors, it’s just when i add the lines to postfix’s main.cf that the problem happens, once i removed the code the mail was sent and the key was added to the email, could it be to do with iptables?
if i comment out these lines the queue is processed.
@Paul: With those lines commented in your main.cf, I don’t see how the key could have been added to the mail, since Postfix wouldn’t know to pass mail through the milter. Is your software config identical to the one in the tutorial? RHEL/CentOS, Postfix, OpenDKIM? Are you also running Sendmail by chance (it should be off in this scenario)? Also, a brand new version of OpenDKIM (2.3.0) was released yesterday. I recommend downloading it and going back through the tutorial step-by-step.
Hello Steve, I was trying to follow the default configuration for OpenDKIM, I think the installation and configuration that I’ve made it is all good, but, it is not signing my outgoing email….
I checked everything twice, tail /var/log/maillog, does not show me errors, I’m not sure what is the problem now…
@Carlos: Your maillog should still give you some sort of message even if it doesn’t sign. Is there any output from opendkim in your log, such as “not internal” or “no signature data added”?
Hi Steve, I’ve already fixed, seems to be a problem with my selector, so I reinstalled again, and now it’s working…. Thank you for answer me.
By the way, nice theme.
Hi,
I’ have done everything like Your tutorial says. When i try to send email i get :
Mar 3 18:56:46 qwe postfix/smtpd[20993]: connect from unknown[127.0.0.1]
Mar 3 18:56:46 qwe postfix/smtpd[20993]: fatal: host/service localhost/20209 not found: No address associated with hostname
and no mail is send;/
when i change in postfix main.cf
smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
to
smtpd_milters = inet:127.0.0.1:20209
non_smtpd_milters = inet:127.0.0.1:20209
mail is sent, but 2 dkim signatures are added like this:
Delivered-To: xxx@xxx.com
Received: by 10.204.55.15 with SMTP id s15cs11793bkg;
Thu, 3 Mar 2011 09:29:07 -0800 (PST)
Received: by 10.204.169.193 with SMTP id a1mr1809154bkz.11.1299173347444;
Thu, 03 Mar 2011 09:29:07 -0800 (PST)
Return-Path:
Received: from xxx.com (myhost.com [f.i.r.stip])
by mx.google.com with ESMTPS id 20si2102167faw.28.2011.03.03.09.29.06
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 03 Mar 2011 09:29:06 -0800 (PST)
Received-SPF: neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of apache@xxx.com) client-ip=f.i.r.stip;
Authentication-Results: mx.google.com; spf=neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of apache@xxx.com) smtp.mail=apache@xxx.com; dkim=neutral (bad format) header.i=@xxx.com
Received: from xxx.com (unknown [127.0.0.1])
by xxx.com (Postfix) with ESMTP id 6529748B803C
for ; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 6529748B803C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
s=default; t=1299177173;
bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
h=To:Subject:Message-Id:Date:From;
b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
+pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
Received: by xxx.com (Postfix, from userid 48)
id 4F18848B84A2; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 4F18848B84A2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
s=default; t=1299177173;
bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
h=To:Subject:Message-Id:Date:From;
b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
+pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
To: xxx@xxx.com
Subject: subject
Message-Id:
Date: Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
From: apache@xxx.com (Apache)
sample body
what can be the problem?
@michael: After chatting it over with my buddies on the OpenDKIM-Users mailing list, we agree that it looks like the message is somehow being passed to the filter twice before it gets sent out. Are you running multiple smtpd processes in your Postfix configuration?
A few ideas for you to try (from the developer of OpenDKIM himself):
1) Check your Postfix configuration to see if there’s some way the filter might hear about the same message twice.
2) Check your maillog to see how you might be able to distinguish the two instances. For example, if one is coming in over the localhost address while the other is coming in over some non-localhost address, you could add one or the other to the PeerList so that the filter simply ignores one of them outright.
3) Have the reinjection step change the From: so that there’s a hit in the SigningTable for one instance of the message but not the other.
@steve, thank You for Your priceless help, after pointing me in direction, that filter hears twice about message i examined my maillog
Mar 5 13:58:06 haha postfix/pickup[14521]: B4C4948B8033: uid=48 from=
Mar 5 13:58:06 haha postfix/cleanup[14525]: B4C4948B8033: message-id=?
Mar 5 13:58:06 haha opendkim[23216]: B4C4948B8033: DKIM-Signature header added (s=default, d=example.com)
Mar 5 13:58:06 haha postfix/qmgr[14528]: B4C4948B8033: from=, size=565, nrcpt=1 (queue active)
Mar 5 13:58:06 haha postfix/smtpd[14532]: connect from unknown[127.0.0.1]
Mar 5 13:58:06 haha postfix/smtpd[14532]: CE02B48B8032: client=unknown[127.0.0.1]
Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: apache@example.com
Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: somebody@somewhere.com
Mar 5 13:58:06 haha postfix/cleanup[14525]: CE02B48B8032: message-id=
Mar 5 13:58:06 haha opendkim[23216]: CE02B48B8032: DKIM-Signature header added (s=default, d=example.com)
Mar 5 13:58:06 haha postfix/qmgr[14528]: CE02B48B8032: from=, size=1157, nrcpt=1 (queue active)
Mar 5 13:58:06 haha postfix/smtp[14529]: B4C4948B8033: to=, relay=127.0.0.1[127.0.0.1]:10027, delay=0.22, delays=0.08/0/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CE02B48B8032)
cleanup process was running twice , and everytime opendkim added signature, so i modified my pickup process with -o receive_override_options=no_milters
and it works like a charm!
pickup fifo n – - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027 -o receive_override_options=no_milters
Again, big thanks to You and guys over mailing list for help. This tutorial rocks!
you forget to copy opendkim-genkey from /usr/local/src/opendkim to /usr/local/bin
cd /usr/local/sbin/
cp /usr/local/src/opendkim-2.3.0/opendkim-genkey /usr/local/sbin
opendkim-genkey -D /etc/mail/dkim/keys/test.com/ -d test.com -s default
regards , from Argentina
Hi, Thierry. Manually copying opendkim-genkey to /usr/local/bin isn’t necessary. The make install command automatically places all the necessary opendkim-* files in that directory. If it didn’t on your system, verify that you used the right permissions (root) when you did the make install command, since the default permissions for /usr/local/bin is owned and writeable only by root.
Help Me. Problem starting opendkim
Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory
@Ruslan: I need a bit more info. What system? Did you follow these steps EXACTLY? Do “updatedb” and then “locate opendkim” – does it find it on your system anywhere?
Greatest ever blog post! Thanks a lot for such detailed information!!!
Worked like a charm
I had same issue trying to start OpenDKIM.
Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory
The following is my setup:
CentOS release 5.6 (Final)
Postfix 2.3.3
OpenDKIM 2.3.2
executing as root and SELinux = disabled.
OpenDKIM 2.2.2 installs and starts fine however.
Hi steve,
good tutorial, but i’ve two problem:
1. I’ve install dkim e dk-milter but when i restart dk-milter i’ve this message:
chgrp: impossibile accedere a `inet:10035@localhost’: No such file or directory
chmod: impossibile accedere a `inet:10035@localhost’: No such file or directory
main.cf
smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209
non_smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209
dk-milter
PORT=”inet:10035@localhost”
2. I must also use spamassin but when I insert this line in master.cf emails come back with the message “service unavailable”
smtp inet n – n – – smtpd -o
content_filter=spamd
Help me please!
I think you need to find this line /etc/init.d/dk-milter:
if [[ ! -z $(echo $PORT |grep "local") && $RETVAL -eq 0 ]];
then change this to:
if [[ -z $(echo $PORT |grep "inet") && $RETVAL -eq 0 ]];
Hope it helps!!
i had the same error as Ruslan:
Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory
i have no clue how that happened since i definitely ran everything as root. i did fix the issue using this command.
cp /usr/local/src/opendkim-2.3.2/opendkim/opendkim /usr/sbin
Hi steve,
this is a very good and easy to understand tutorial.
i followed your tutorial and was able to install it. but i get the following error on the maillog when i try to send a mail.
May 27 01:59:01 sr postfix/cleanup[25854]: warning: connect to Milter service inet:127.0.0.1:20209: Connection refused
Thanks,
Neil
Excellent howto. Just a couple of quick notes:
ADSPAction doesn’t appear to work anymore. Looks like it should be ADSPDiscard (with “yes” or “no” as accepted parameters)
In my case, opendkim was adding a DKIM Signature header twice. Once when the email was initially received, and again after going through amavisd-new. Amavis wasn’t re-signing it, for some reason postfix signed it each time. Disabling Amavis as a content filter eliminated the problem, but now my outgoing mail doesn’t get scanned for viruses anymore.
Thanks for the heads up on the ADSPAction. I’ll check that.
Concerning amavisd-new, check the
127.0.0.1:10025 inet n - n - - smtpdsection in your master.cf. Add no_milters to the end of your -o receive-override_options line so that it looks like this:-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_miltersThen restart Postfix and Amavisd. That should solve your problem. I’ve added this tip to my Amavis-new tips blog post.
That worked perfectly, thank you.
Hi Steve,
if i add ADSPDiscard it give a error….
ADSPDiscard Yes
Stopping OpenDKIM Milter: [ OK ]
Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 5: unrecognized parameter
I have a big problem too, I installed and configured opendkim on a server that is hosted on mail marketing software, sending a newsletter the validation fails, the message here:
Signature verification failed, message May Have Been tampered with or corrupted
Validating Signature
result = fail
Details: Body Has Been Altered
Can help me…
Hi Steve, thank you for this very great tutorials!! It really works!!
Hello Steve, I followed your steps (updated) and I get this messages: opendkim[1045]: can’t write pid to /var/run/opendkim/opendkim.pid: Permission denied
In /var/log/maillog
Any ideas?
Steve, nevermind, I just reinstalled everything and set the permission twice and it worked fine. Still, nice tutorial indeed.
Cool – glad to see you got it working. The permissions should be created properly on the useradd command, but I’ll add an extra step in there to manually set them just in case.
Any ideas on what could cause this?
dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed
This happens every time I try to send mail from a telnet session on localhost. I have double checked permissions and everything and I still get that error.
Any insight would be appreciated.
Superb post, installed and working seamlessly
Thanks!
- Paul
Hi Steve,
Thanks for your nice article I finish everything according to you, but when I start OpenDKIM check below log;
Jul 13 11:06:45 relay opendkim[16642]: OpenDKIM Filter: Unable to create listening socket on conn inet:20209@localhost
Jul 13 11:06:45 relay opendkim[16642]: smfi_opensocket() failed
Jul 13 11:06:45 relay opendkim[10817]: exited with status 69, restarting
Jul 13 11:06:45 relay opendkim[16643]: OpenDKIM Filter: Unable to bind to port inet:20209@localhost: Address already in use
I’m using MailScanner 4.83 . Is it a conflict with mailscanner or can I change Opendkim port? Please help…….
Thanks,
Raminda
I’m commenting on the 7 month old post from Raminda on July 13, 2011. I have been getting similar error messages.
Starting OpenDKIM Milter: opendkim: smfi_opensocket() failed
OpenDKIM Filter: Unable to bind to port inet:8891@localhost: Cannot assign requested address
OpenDKIM Filter: Unable to create listening socket on conn inet:8891@localhost
I have not figured out the true cause of my problem but I have stumble upon a workaround.
In /etc/opendkim.conf I changed …
Socket inet:8891@localhost
to …
Socket inet:8891@127.0.0.1
In /etc/mail/sendmail.mc I changed …
INPUT_MAIL_FILTER(`opendkim’, `S=inet:8891@localhost’)dnl
to …
INPUT_MAIL_FILTER(`opendkim’, `S=inet:8891@127.0.0.1′)dnl
I can’t explain why this is a fix. I’m 7 months late to help Raminda but maybe another googler will find this helpful.
Great tutorial, thanks a lot.
Im having a hard time telling if my DKIM is working or not.
Brandons DKIM checker says its ok, but when I send to GMail, I see that the DKIM signature is being added. However, GMail is not showing that an “Authentication-Results” header has been added.
I was prevoiously haviong problems, and GMail did add an “Authentication-Results” header. Is this header only added when the DKIM verification fails, or should there be one when DKIM passes too?
Hi Steve.
Thanks very much for the tutorial. I was able to deploy OpenDKIM succesfully. Cool.
One small typo FYI. The link behind:
Send a signed email to: autorespond+dkim@dk.elandsys.com
points to
check-auth@verifier.port25.com
Great tutorial! Thanks again…
Glad you got it installed, Jeff. And thanks for the heads up on the typo (fixed!).
Great tutorial, thank you very much.
One tip for everyone though: I recommend executing the chown command at the end, escpecially if you created files using
touch /etc/opendkim/KeyTable (if run by root, opendkim user wont be allowed to access the file)
So, when finished with everything, if mail doesnt get send when OpenDKIM enabled, run chown again.
chown -R opendkim:opendkim /etc/opendkim
Bye:)
Great tutorial Steve!
I have everything setup correct, except its not actually signing the emails and there is nothing related to SIGNING in the log. Startup info is in the log, but no error or anything when a piece of mail is sent.
I can only think its because I have my domain on another server, would this be correct? I setup the DNS on the other server with the dkim key, but do I need to setup a subdomain and point it to the server with the opendkim on it as well? Or, can I simply have ANY domain be on the opendkim (even if its not the “sending / from” domain)?
The only other thing I can think, in the event that I can use ANY domain on the opendkim server and it doesn’t have to be the SENDING server (from name domain), that it could be because I am testing with Amazon SES on the command line and it doesn’t necessarily perhaps properly fill out the return path?
Wish I could get more info from the log file but its just not even signing anything or giving me any info!
Thanks for any help anyone..
Hi
Excellent Howto and good tutorial.
i followed your tutorial and was able to install it. but i get the following Header in hotmail when i check it.
x-store-info:4r51+eLowCe79NzwdU2kRyU+pBy2R9QC3Jx2/BsS+hK7OuBZi7BRB/Is4oUCB0t5q3uTQvBaMi+N7tkkYUjPs8IELCmQgn/yVn9uPYmce2L0EJqvUykwYg==
Authentication-Results: hotmail.com; sender-id=temperror (sender IP is xx.xx.xxx.x) header.from=reply@test.com; dkim=none header.d=test.com; x-hmca=none
X-Message-Status: n:0:n
and i dont see any headers any signatures of dkim and domainkeys in my source..
Thanks im advance
Unless you own the test.com domain (and I’m assuming you don’t), then the Hotmail test SHOULD fail on this example. DKIM checks the signature in your header against the one published in the DNS record for the stated domain. And if you don’t see any DKIM sig in your header, then something’s not set up right. Have you gone through all the troubleshooting steps? If so, have you turned on LogWhy? That should tell you why it’s failing. If that still doesn’t help, come ask your question on the OpenDKIM-Users mailing list. I’m sure we can get it sorted out over there.
Hello
Can anyone tell me simple steps which can do this things automatically.
I use interspire,vps,linus,centos
please assist
Hit the link at the top of the article about using Yum to install. That’s as automated as it gets.
Hi,
If i use multiple postfix instances (with separate config directorys) your guide should work?
Thanks,
StaCker
Hi Steve,
thank you for this howto.
As Niel I got, a “connect to Milter service inet:127.0.0.1:20209: Connection refused” in my log.
I am on Debian Lenny, so I have used the “generic” script found contrib/init.
When I start dkim by doing “/etc/init.d/opendkim start” I got no message at all…
Could you help me finding the problem ?
Sorry for my english level that is as good as my linux level.
Thanks again
Denis
Hi all,
I answer to myself.
Thanks to Murray help, I saw that opendkim wasn’t running at all after the start command.
The problem was that the PATH in opendkim.conf were on usr/sbin and not usr/local/sbin.
thanks for your help
Denis