Add OpenDKIM with Postfix on Ubuntu or Debian

Verify messages from your (sub) domain using DKIM and sign every email from your Ubuntu or Debian server so they pass authentication. DomainKeys Identified Mail (DKIM) is an email authentication method that protects email senders and recipients from spam, spoofing, and phishing.

How to add OpenDKIM with Postfix on Ubuntu or Debian

This is a comprehensive, quick, and easy way to set up DKIM (DomainKeys Identified Mail) with the Postfix Mail server running on Ubuntu and Debian-based systems.

Step 1: Install the Opendkim Package

$ sudo apt update 

$ sudo apt install opendkim opendkim-tools

Add the postfix user to the opendkim group:

$ sudo usermod -G opendkim postfix

Step 2: Generate a Public and Private DKIM Keys

$ sudo mkdir -p /etc/opendkim/keys 

$ sudo chown -R opendkim:opendkim /etc/opendkim

$ sudo chmod  744 /etc/opendkim/keys

Generate public and private DKIM keys using opendkim-genkey command line utility. Replace example.com for your (sub)domain name (wpspeedexpert.com).

$ sudo mkdir /etc/opendkim/keys/wpspeedexpert.com

$ sudo opendkim-genkey -b 2048 -d wpspeedexpert.com -D /etc/opendkim/keys/wpspeedexpert.com -s default -v

Set correct ownership:

$ sudo chown opendkim:opendkim /etc/opendkim/keys/wpspeedexpert.com/default.private

Step 3: Setup DKIM Keys to Your DNS Record

$ sudo cat /etc/opendkim/keys/wpspeedexpert.com/default.txt

Add a DKIM DNS “TXT” record and remove all the quotes (“) and blank spaces from the record value as follows:

DKIM record

Verify the DNS record using this command:

$ sudo opendkim-testkey -d wpspeedexpert.com -s default -vvv

Step 4: Configuring OpenDKIM

Edit the main configuration file:

$ sudo nano /etc/opendkim.conf

Uncomment these values:

LogWhy                         yes 
Canonicalization            relaxed/simpleMode                    
svSubDomains              no

add the following values:

AutoRestart                  yes
AutoRestartRate         10/1M
Background                 yes
DNSTimeout                5
SignatureAlgorithm      rsa-sha256

Append the following to the end of the file:

KeyTable                 refile:/etc/opendkim/key.table
SigningTable           refile:/etc/opendkim/signing.table
ExternalIgnoreList  /etc/opendkim/trusted.hosts
InternalHosts          /etc/opendkim/trusted.hosts
/etc/opendkim.conf

Edit the signing.table

$ sudo nano /etc/opendkim/signing.table

Add the following entries (replace wpspeedexpert.com):

*@wpspeedexpert.com    
default._domainkey.wpspeedexpert.com*@*.wpspeedexpert.com    default._domainkey.wpspeedexpert.com

Edit the key.table file:

$ sudo nano /etc/opendkim/key.table

Add the following entries (replace wpspeedexpert.com):

default._domainkey.wpspeedexpert.com     wpspeedexpert.com:default:/etc/opendkim/keys/wpspeedexpert.com/default.private

Edit the trusted.hosts file:

$ sudo nano /etc/opendkim/trusted.hosts

Add the following entries (replace wpspeedexpert.com):

127.0.0.1localhost
.wpspeedexpert.com

Restart OpenDKIM Service:

$ sudo systemctl restart opendkim

Step 5: Configure Postfix With OpenDKIM

Change OpenDKIM socket file location:

$ sudo mkdir /var/spool/postfix/opendkim 

$ sudo chown opendkim:postfix /var/spool/postfix/opendkim

$ sudo nano /etc/opendkim.conf


Search for the socket location and change it like the example hereunder:

Socket    local:/var/spool/postfix/opendkim/opendkim.sock
var/spool/postfix/opendkim/opendkim.sock

Edit the opendkim file:

$ sudo nano /etc/default/opendkim

Edit the socket entry as in the example below:

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

Edit the postfix main.cf file:

$ sudo nano /etc/postfix/main.cf

Add the following lines to the end of the file:

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Modify the myhostname (replace wpspeedexpert.com):

myhostname = wpspeedexpert.com

Restart the Postfix and DKIM service:

$ sudo systemctl restart postfix

$ sudo systemctl restart opendkim

Add a DNS SPF record for the (sub) domain (replace IP addresses):

Name: @
Content:
v=spf1  ip4:0.0.0.0 ip6:0000:0000::00000:0000:0000:0000  include:subdomain.wpspeedexpert.com ~all

Add a DNS DMARC record:

v=DMARC1; p=none;

If you are using Cloudflare you can enable DMARC Management.

Send a test mail:

$ echo "Hello world" | mail -s "Test" you@domain.com

Leave a Comment