What is DKIM?

DKIM or DomainKeys Identified Mail is an email authentication system that can help prevent spoofing by signing outgoing mail. More information can be found on Wikipedia or Google.

DKIM uses a private and public key pair for signing, the public key is stored in a TXT record in the DNS zone, similar to SPF.

Simple setup on Ubuntu 14.04

Install OpenDKIM

sudo apt-get install opendkim opendkim-tools

Generate a private and public key pair

opendkim-genkey -t -s default -d example.com

The -s switch defines the name of a selector, it's used later in both configuration on the server and the TXT record.

This generates 2 files, based on the name of the selector, e.g. default.private and default.txt

Add the TXT record

The txt file created by opendkim-genkey uses a bind record format and looks something like this:

default._domainkey	IN	TXT	( "v=DKIM1; k=rsa; t=y; "
  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbpMiQR1EMmOmCYzzuHYlXho97NnX1/nFCftJLjY2NVkGlCdxMpnnoVI3oGeM1DmzdbC9eySW+GbFnPs0FrPB5Tqod1XXYI3gwrMihIyMJfsIMAU0EPJKvJjwsELNYj4UHWBhWIjusGw0AeDQuUH0sCYOkdPkOSvM2wpZsvHkDZwIDAQAB" )  ; ----- DKIM key default for example.com

You can extract the necessary information from here to use with most registrars or DNS services.

Record name

The record name should be ._domainkey prefixed with the selector name:


Any sub domain information should be appended, which opendkim-genkey doesn't do. for sub.domain.example.com you should use:


TXT value

The value should include a minimum of the DKIM version, key and key type:


Configure OpenDKIM

On Ubuntu the config files OpenDKIM uses are:


Copy the private key

Many guides suggest copying files into /etc/mail, but OpenDKIM complains about permissions and won't start so it was easier to create a new folder in /etc and copy it there:

sudo mkdir /etc/opendkim
sudo cp default.private /etc/opendkim

Update /etc/opendkim.conf

As a minimum the domain, key path and selector are required:

Domain                  example.com
KeyFile                 /etc/opendkim/default.private
Selector                default

Update /etc/default/opendkim

Ubuntu uses a socket by default, but Sendmail complains that this is insecure so it's necessary to use a port instead, the following can be appended to the end of the file:

SOCKET="inet:8891@localhost" # listen on loopback on port 8891

Start the service

sudo service opendkim start

Configure Sendmail

Update the configuration

Append the following to /etc/mail/sendmail.mc:

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

Regenerate the Sendmail config file as root:

sudo -i
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Restart the service

sudo service sendmail restart

Checking everything works

From server logs

By default OpenDKIM logs to the syslog, so you can tail the log to see if signing is successful using:

sudo tail -f /var/log/syslog | grep -i dkim

You should see something like this example taken from one of the web servers that host this blog:

Mar 16 09:25:02 web2 sm-mta[7705]: u2G9P2Dp007705: Milter insert (1): header: DKIM-Signature:  v=1; a=rsa-sha256; c=simple/simple; d=web2.lon.codacity.net;\n\ts=linode; t=1458120302;\n\tbh=C8sxHQz0QeFsCiNzhPYF8u2GVHRax8cSsYISckkpuEk=;\n\th=Date:From:Subject:To:From;\n\tb=ymr4SQ67DqXBMkVPPfjTJUEWBPFpO4jix7oZXsranp6MQrzcXg8ysbwkL0+6VdcqA\n\t DrzTrz3O6SfVh9Aok6H+tGcPIb9jMGTn1ceLlAZhy18O5qmjkZOTHr2MWtKeaf1u2M\n\t FfBBOID4M9vef7FZBJaUa0j+Zg9LarLaYW518TEo=

From your mail client

View the source of an email sent from your server and look for the Authentication-Results header. It should contain dkim=pass if everything is working. There is also a DKIM-Signature header which contains the signing data.

Further steps

This guide will get you up and running for a single domain, for multiple domains a few extra steps are necessary. I will update this post at a later date to include this.