DKIM signature in Postfix on Debian


DKIM works by interfacing a proxy in postfix to add priv/pub signature to out-going emails using a private key and opendkim.

Matching public key will be exported in the DNS server so receiving SMTP can verify in the signature in the metadata matches the public key.

It helps for non being consider as a spamer.

A friend asked me to setup this on his two servers with two different domains so we’ll be setting up the whole thing here with separate keys pair for each domain/each server and we’ll allow both servers to sign emails for these domains.

Install required packages

Create pub/priv keys sets

According to /usr/share/doc/opendkim/README.Debian.gz there is a tool named opendkim-genkey that can help generating the key pairs. This tool is in opendkim-tools package.

As we want to allow different servers to sign messages with different key but for the same domain, we’ll use the origin server short hostname as selector. It means the signature will be somehow prefixed with this selector, indicating the receiver SMTP which DNS entry should be queried for getting associated public key. By doing so, we’ll be able to export different public key for each server.

Now you should see the private keys as well as public key as a bind9 snippet in /etc/dkimkeys:

Register public key in DNS zones

Now you need to add the public signature in your DNS zone. In this example, the primary bind server for both and is running on the server itself so we can just do:

This is very unlikely that method is suitable for you, but you get the idea right ?

Don’t forget to bump DNS zone serial number and reload bind

We can now check with dig that our DNS server now expose the public key:

Should return something like:

Configure OpenDKIM

Now we need to create a KeyTable file to match domain, selector and private key file. We also need a SigningTable to actually ask for signature to be added to outgoing emails.

In /etc/opendkim.conf add the following entries at bottom of files:

Then we we’ll create /etc/dkimkeys/KeyTable file:

The file now looks like:

Now we create /etc/dkimkeys/SigningTable file:

The file should content:

OpenDKIM is now configured, restart it

Integrate with Postfix

On Debian systems Postfix is chrooted so there are a few additionnal steps to get it working correctly:

In /etc/opendkim.conf change the socket path to Postifx chroot:

Create proper folder in Postfix chroot and give proper permissions

Add Postfix to opendkim group so it can write to the socket:

Enable filtering in postfix (postconf commands will edit /etc/postfix/

Missing trailling / is not a typo !

Restart both services:


You can send an email from the server itself using following commands:

My server runs Postfix with Amavis so I can check the header of the email I just received and I can confirm valid DKIM signature has been seen:

Leave a Reply

Your email address will not be published. Required fields are marked *