Notes on Adding OpenDKIM to Postfix + DMARC
Server
Lastmod: 2023-11-30
Published: 2022-05-20

Given the strict spam filters these days, I decided to implement DKIM on my personal mail server. Here are the notes from that process.

For DMARC settings, see the update in November 2023.

August 2024 Update

I have switched from OpenDKIM to arcmilter.
Changed from OpenDKIM to arcmilter and Added Support for ARC Signatures

Environment

  • Ubuntu 20.04

OpenDKIM

  • Installation
# apt install opendkim opendkim-tools
  • Create the directory to store keys
# install -d /etc/opendkim/key
# cd !$
  • Generate keys (for multiple domains)
# install -d masa23.jp
# opendkim-genkey -D masa23.jp -d masa23.jp
# install -d example.jp
# opendkim-genkey -D example.jp -d example.jp

default.private  default.txt will be generated in each directory
  • Change ownership
# chown -R opendkim:opendkim /etc/opendkim/
  • OpenDKIM configuration
# vi /etc/opendkim.conf
Socket                  inet:8892@localhost

#Domain
#KeyFile
#Selector
KeyTable refile:/etc/opendkim/key_table
SigningTable refile:/etc/opendkim/signing_table
# cat << _EOF_ > /etc/opendkim/key_table
default._domainkey.masa23.jp masa23.jp:default:/etc/opendkim/key/masa23.jp/default.private
default._domainkey.example.jp example.jp:default:/etc/opendkim/key/example.jp/default.private
_EOF_
# cat << _EOF_ > /etc/opendkim/signing_table
*@masa23.jp default._domainkey.masa23.jp
*@example.jp default._domainkey.example.jp
_EOF_
  • Start and enable OpenDKIM
# systemctl start opendkim
# systemctl enable opendkim

Postfix Configuration

  • Add as a milter
# vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8892
non_smtpd_milters = inet:127.0.0.1:8892
  • Check the configuration
# postfix check
  • Reload Postfix
# systemctl reload postfix

Registering the Public Key in DNS

  • Check the public key
# cat /etc/opendkim/key/masa23.jp/default.txt
default._domainkey      IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5jqnqaMgv8fFl8yQHDfPdU/7j0YvFza2YIMIYivVV/CaItZizlkY6emj9o6MZBK3RU9ni4BPCQ1do64+HhZHUanAPojZd0PsyusCBNBFU1wY6/xpcuoPf+Ru15UvLI2/o+9ElO4vF3l2YoTSOE5ljnBNd2EWihqmUQazEpu3PT1a7BbHZkW/7WdK5ipgU8+u/iyRai0Dnrhgoi"
          "ArzoDjFgm4TRJQGhD+EUOmnwFa3Xz5eQg50IigS7WKyHwF3HSZPzrkEFf5hIXYdoeIr6OqKg5sldONF/hY9voEITHZqtHOnrBlaBH2DTTI6uQH7Uc4JLv12xD6Gh1rlZy5zdMTwQIDAQAB" )  ; ----- DKIM key default for masa23.jp

Register this record in DNS.

November 2023 Update

ADSP has been deprecated.

Therefore, assuming the SPF record is already set up, let’s configure DMARC.

  • DMARC Configuration
_dmarc  IN  TXT "v=DMARC1; p=quarantine;"

The value of p can be none, quarantine, or reject.

pMeaning
noneThe domain owner requests no specific action be taken regarding delivery of messages.
quarantineThe domain owner requests that messages failing the DMARC check be treated as suspicious.
rejectThe domain owner requests that messages failing the DMARC check be rejected.