Translation(s): English - Русский

Domain Keys Identified Mail (DKIM) combines several existing antiphishing and antispam methods to improve the quality of the classification and identification of legitimate e-mail. Instead of the traditional IP-address, to determine the message sender DKIM adds a digital signature associated with the domain name of the organization.


Postfix and opendkim

Install the package:

  apt-get install opendkim opendkim-tools

Add to the Postfix signature opendkim. In Debian stretch, the recommended place for the private key is /etc/dkimkeys (it already exists with owner opendkim, group opendkim, and rwx permissions for user only).

Generate a key for server

  opendkim-genkey -D /etc/dkimkeys/ -d -s mail 

resulting in the directory /etc/dkimkeys/ 2 files : mail.private and mail.txt (private and public key, respectively). Ensure that only the opendkim user can read them as that is enough:

chgrp opendkim /etc/dkimkeys/*
chmod go-rwx /etc/dkimkeys/*

Postfix and opendkim will communicate through a unix socket (faster and more secure than a tcp socket). The default configuration of postfix in debian runs under a chroot (/var/spool/postfix) so the socket must be created there :

mkdir -p $sockdir
chown opendkim. $sockdir
chmod go-rwx $sockdir
chmod g+x $sockdir

Setup the /etc/opendkim.conf:

All the available options can be found on the page:

Syslog yes

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   007

# Signature mode and signature verification
Mode sv # not needed as this is the default

# DO NOT BELIEVE that /etc/default/opendkim overrides the following :
# (In stretch, it does not on 2019-08-13)
Socket                  local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable 
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

Now in the file /etc/dkimkeys/keytable, put information about the private key: 

In the file /etc/dkimkeys/signingtable, specify which key will sign a domain:

# Domain
# You can specify multiple domains

In the file /etc/dkimkeys/trustedhosts, specify which hosts will have messages signed. If needed, include localhost as it is not implicit:

You do not need to modify /etc/default/opendkim.

Now restart opendkim and check that everything is ok:

# service opendkim restart
# service opendkim status
# ls -ld /var/run/opendkim
drwxr-x--- 2 opendkim opendkim 60 Aug 13 13:57 /var/run/opendkim
# ls -l /var/run/opendkim
total 4
-rw-rw---- 1 root root 6 Aug 13 13:57
# ls -ld /var/spool/postfix/var/run/opendkim 
drwx--x--- 2 opendkim opendkim 4096 Aug 13 13:57 /var/spool/postfix/var/run/opendkim
# ls -l /var/spool/postfix/var/run/opendkim
total 0
srwxrwx--- 1 opendkim opendkim 0 Aug 13 13:57 opendkim.sock

Now, add postfix to the group opendkim so that it can communicate with opendkim:

adduser postfix opendkim

And add the following lines to /etc/postfix/

  milter_default_action = accept
  milter_protocol = 6
  # from inside the chroot, the socket will be in /var/run/opendkim 
  smtpd_milters = unix:/var/run/opendkim/opendkim.sock
  non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

The setup of opendkim and postfix is complete.

Restart postfix

service postfix restart
service postfix status


Try to send a mail. If you see in /var/log/mail.log something like

Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to bind to port local:/var/spool/postfix/var/run/opendkim/opendkim.sock: No such file or directory
Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to create listening socket on conn local:/var/spool/postfix/var/run/opendkim/opendkim.sock

then that probably means that you did not create the directory for the socket (see above) or you gave it the wrong permissions. Double-check!

If you see

Aug 13 13:46:19 yourhostname postfix/cleanup[17588]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

then that means postfix could not read the socket. Did you put postfix in group opendkim? Are the permissions on /var/spool/postfix/var/run/opendkim/opendkim.sock correct?

If everything is correct, that does not mean your configuration of DKIM is complete: you must configure the DNS.

DNS Configuration

Add a TXT record for your domain

Record Name

Record Type




v=DKIM1; k=rsa; p=MI.. (take it from /etc/dkimkeys/mail.txt file; remove the >"< and connect the lines after p= to one key.)


You can test your installation with opendkim-testkey:

# opendkim-testkey -d -s mail -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key ''
opendkim-testkey: key not secure
opendkim-testkey: key OK

See also