Add OpenDKIM with Postfix on Ubuntu or Debian

Verify messages from your (sub) domain using DKIM and sign every email from your Ubuntu or Debian server so they pass authentication. DomainKeys Identified Mail (DKIM) is an email authentication method that protects email senders and recipients from spam, spoofing, and phishing.

How to add OpenDKIM with Postfix on Ubuntu or Debian

This is a comprehensive, quick, and easy way to set up DKIM (DomainKeys Identified Mail) with the Postfix Mail server running on Ubuntu and Debian-based systems.

Step 1: Install the Opendkim Package

$ sudo apt update 

$ sudo apt install opendkim opendkim-tools

Add the postfix user to the opendkim group:

$ sudo usermod -G opendkim postfix

Step 2: Generate a Public and Private DKIM Keys

$ sudo mkdir -p /etc/opendkim/keys 

$ sudo chown -R opendkim:opendkim /etc/opendkim

$ sudo chmod  744 /etc/opendkim/keys

Generate public and private DKIM keys using opendkim-genkey command line utility. Replace for your (sub)domain name (

$ sudo mkdir /etc/opendkim/keys/

$ sudo opendkim-genkey -b 2048 -d -D /etc/opendkim/keys/ -s default -v

Set correct ownership:

$ sudo chown opendkim:opendkim /etc/opendkim/keys/

Step 3: Setup DKIM Keys to Your DNS Record

$ sudo cat /etc/opendkim/keys/

Add a DKIM DNS “TXT” record and remove all the quotes (“) and blank spaces from the record value as follows:

DKIM record

Verify the DNS record using this command:

$ sudo opendkim-testkey -d -s default -vvv

Step 4: Configuring OpenDKIM

Edit the main configuration file:

$ sudo nano /etc/opendkim.conf

Uncomment these values:

LogWhy                         yes 
Canonicalization            relaxed/simpleMode                    
svSubDomains              no

add the following values:

AutoRestart                  yes
AutoRestartRate         10/1M
Background                 yes
DNSTimeout                5
SignatureAlgorithm      rsa-sha256

Append the following to the end of the file:

KeyTable                 refile:/etc/opendkim/key.table
SigningTable           refile:/etc/opendkim/signing.table
ExternalIgnoreList  /etc/opendkim/trusted.hosts
InternalHosts          /etc/opendkim/trusted.hosts

Edit the signing.table

$ sudo nano /etc/opendkim/signing.table

Add the following entries (replace


Edit the key.table file:

$ sudo nano /etc/opendkim/key.table

Add the following entries (replace

Edit the trusted.hosts file:

$ sudo nano /etc/opendkim/trusted.hosts

Add the following entries (replace

Restart OpenDKIM Service:

$ sudo systemctl restart opendkim

Step 5: Configure Postfix With OpenDKIM

Change OpenDKIM socket file location:

$ sudo mkdir /var/spool/postfix/opendkim 

$ sudo chown opendkim:postfix /var/spool/postfix/opendkim

$ sudo nano /etc/opendkim.conf

Search for the socket location and change it like the example hereunder:

Socket    local:/var/spool/postfix/opendkim/opendkim.sock

Edit the opendkim file:

$ sudo nano /etc/default/opendkim

Edit the socket entry as in the example below:


Edit the postfix file:

$ sudo nano /etc/postfix/

Add the following lines to the end of the file:

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Modify the myhostname (replace

myhostname =

Restart the Postfix and DKIM service:

$ sudo systemctl restart postfix

$ sudo systemctl restart opendkim

Add a DNS SPF record for the (sub) domain (replace IP addresses):

Name: @
v=spf1  ip4: ip6:0000:0000::00000:0000:0000:0000 ~all

Add a DNS DMARC record:

v=DMARC1; p=none;

If you are using Cloudflare you can enable DMARC Management.

Send a test mail:

$ echo "Hello world" | mail -s "Test"

Leave a Comment