Based on Debian 10 "Buster" environment.

OpenDKIM

OpenDKIM is a fork project of dkim-milter. It will sign the outgoing mails and verify the incoming mails as one of the milters.

Install OpenDKIM

# apt install opendkim opendkim-tools

opendkim-tools is required to generate the signing key.


DKIM signing Key

Generate

Here is the example to make a DKIM signing key for the domain mail.example.jp with the selector "postfix". The private key and a text file to copy & paste to the DNS record will be generated to the /etc/dkimkeys directory.

# opendkim-genkey -D /etc/dkimkeys -s key01
  • By default, opendkim-genkey will generate sha256 2048bits key. If your DNS provider doesn't accept the TXT record longer than 255 characters, make 1024bits key by adding "-b 1024" to the command above.

DNS record

Copy & paste the whole content of the /etc/dkimkeys/default.txt to the DNS TXT record (and tweak a little ).

$ORIGIN example.jp.
key01._domainkey.mail     IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; t=y"
          "p=MIIB..."
          "y6OwU6..." )  ; ----- DKIM key default for localhost
  • If the key is for a subdomain (this case "mail"), add it after _domainkey.
  • For the declaration of testing, I recommend to add "t=y" to see if your DKIM works well for a while. (Don't forget to delete it after you confirm it's ok.)
  • ADSP record used to be set with DKIM, but it's already declared "Historic" in 2013.
  • The key is too long for 1 line that it's already divided.
  • If you are using knot DNS, then the parameter "IN" is not required.

It's recommended to rotate (renew) the key twice a year for security. It may be a good idea to name the selector 202001, YYYYMM to see when this key should be expired.

DNS record test

Check if the TXT record is added to the domain by checking the answer from DNS servers.

$ dig key01._domainkey.mail.example.jp TXT
* snip *
;; ANSWER SECTION:
key01._domainkey.mail.example.jp. 86400 IN   TXT     "v=DKIM1; h=sha256; k=rsa; " "p=..."

Configure OpenDKIM & Postfix

Configure /etc/opendkim.conf to let OpenDKIM use the key just generated above. To sign multiple domains, write all domains separated by comma.
The socket location has to be changed, too.

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain          mail.example.jp, mail2.example.jp
KeyFile         /etc/dkimkeys/key01.private
Selector        key01

* snip *

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8892@localhost
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

Prepare the socket directory.

# mkdir /var/spool/postfix/opendkim
# chown opendkim:opendkim /var/spool/postfix/opendkim/
# adduser postfix opendkim

Edit /etc/postfix/main.cf to use OpenDKIM as a milter.

# milter
smtpd_milters = unix:/milter-greylist/greylist.sock unix:/opendkim/opendkim.sock unix:/clamav/clamav-milter.ctl

Restart OpenDKIM and Postfix

# systemctl restart opendkim
# systemctl restart postfix

Test

Receive a mail with the valid DKIM signature, e.g. from Gmail. You should find the mail header related to DKIM verification.

Authentication-Results: mail.example.jp;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="UGiaQ8sy";
	dkim-atps=neutral

Reply to the mail above to see if your mail has a DKIM key header and verified by Gmail.