Why Should You Care About DKIM?
Ever had an email marked as spam even though it was legit? Or worse—your domain used for phishing without your knowledge? 😨
That’s where DKIM (DomainKeys Identified Mail) comes in. It lets email recipients verify that an email was really sent by you and wasn’t tampered with in transit.
If you're running your own mail server (Postfix, Exim, Sendmail, etc.), you’ll need a way to generate and manage your DKIM keys. That’s where OpenDKIM comes in!
Ready to set it up? Let’s do this. 🚀
Step 1: Install OpenDKIM on Your Mail Server
First, let’s install OpenDKIM. The command varies based on your Linux distribution:
📌 For Debian/Ubuntu:
shCopyEditsudo apt update && sudo apt install opendkim opendkim-tools -y
📌 For CentOS/RHEL:
shCopyEditsudo yum install epel-release -y sudo yum install opendkim opendkim-tools -y
📌 For Arch Linux:
shCopyEditsudo pacman -S opendkim
Once installed, OpenDKIM will handle signing and verifying DKIM signatures for your emails.
Step 2: Generate Your DKIM Key Pair
Now comes the fun part—creating your private and public keys.
Navigate to a directory where you’ll store your DKIM keys:
shCopyEditmkdir -p /etc/opendkim/keys/yourdomain.com cd /etc/opendkim/keys/yourdomain.com
Run this command to generate a 2048-bit DKIM key pair:
shCopyEditopendkim-genkey -b 2048 -d yourdomain.com -s dkim2024
This will generate two files:
🔹 dkim2024.private → Private key (used by your mail server)
🔹 dkim2024.txt → Public key (to be added as a DNS record)
Move the private key to a secure location:
shCopyEditmv dkim2024.private /etc/opendkim/keys/yourdomain.com/dkim.private chmod 600 dkim.private
Step 3: Add Your DKIM Public Key to DNS
Now, let’s publish your DKIM public key so email providers can verify your signatures.
Open your public key file:
shCopyEditcat dkim2024.txt
You’ll see something like this:
arduinoCopyEditdkim2024._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4G…"
Copy the part after p= (your public key) and add it as a TXT record in your DNS:
Host/Name | Type | Value |
| TXT |
|
Save the record and wait for DNS propagation (usually a few minutes to a few hours).
Step 4: Configure OpenDKIM with Postfix
Now, let’s configure OpenDKIM to sign outgoing emails.
Edit the OpenDKIM configuration file:
shCopyEditsudo nano /etc/opendkim.conf
Add or modify these lines:
javaCopyEditDomain yourdomain.com Selector dkim2024 KeyFile /etc/opendkim/keys/yourdomain.com/dkim.private Socket inet:8891@localhost
Save and exit.
Now, let’s tell Postfix to use OpenDKIM:
shCopyEditsudo nano /etc/postfix/main.cf
Add these lines at the bottom:
makefileCopyEditmilter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Save and restart everything:
shCopyEditsudo systemctl restart opendkim sudo systemctl restart postfix
Step 5: Test Your DKIM Setup
Want to make sure everything is working? Send an email to this address:
You’ll get a reply with your DKIM status. If it says pass, congrats! 🎉
Alternatively, use this Gmail trick:
1️⃣ Send an email to a Gmail account
2️⃣ Open the email and click the three dots → Show original
3️⃣ Look for DKIM-Signature and PASS
Final Thoughts
✅ You just set up DKIM on your own mail server.
✅ Your emails are now protected against spoofing and phishing.
✅ You’re a step closer to DMARC compliance.
Feeling like a true email security pro yet? 😎
Now, go secure your domain and make sure your emails land in inboxes—not spam folders! 🚀