From address: firstname.lastname@example.org
Aim: validate DKIM and DomainKeys for this email address sending from this server.
Requirements: access to enter TXT DNS records for domain.com and example.com, and root access to web1.domain.com server.
- apt-get install dkim-filter; apt-get install dk-filter
- vi /etc/dkim-filter.conf
Uncomment Domain, and set to “*” (without quotation marks)
Underneath Domain, create the following “KeyList /etc/mail/dkim_domains.key”
Uncomment Selector and set to “mail”
You can also uncomment AutoRestart if you want and set to “yes”, and Statistics
Do not uncomment Version – it’s not a valid setting
Save and close
- vi /etc/postfix/main.cf
Append the following:
# DKIM & DomainKeys
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
- cd /etc/mail
- dkim-genkey -t -s mail -d web1.domain.com (dkim key)
- openssl genrsa -out domainkey.key 1024 (domainkeys private key)
- openssl rsa -in domainkey.key -out domainkey.pub -pubout -outform pem (domainkeys public key)
- mv mail.private mail
- vi /etc/default/dk-filter
Uncomment out DAEMON_OPTS and SOCKET and set them like so:
DAEMON_OPTS=”$DAEMON_OPTS -d example.com t -s /etc/mail/domainkey.key -S web1″ (the selector here is web1; this is because the DNS record has to go on example.com for DomainKeys, so for every server you want to send example.com mail for you’ll need a seperate record)
- Open up mail.txt; you need to create the DNS record for DKIM for web1.domain.com from this. I use a managed DNS service for domain.com, so I put “mail._domainkey.web1” in the subdomain/selector, and paste the bit in quotes as the record content. Notice the mail.txt file does not have the domain appended, but I’ve added my subdomain web1 in my record.
- Make two more DNS records, this time on example.com:
_domainkey IN TXT “t=y; o=~;”
web1._domainkey IN TXT “k=rsa; t=y; p=<INSERT KEY FROM DOMAINKEYS.PUB HERE>”
- vi /etc/mail/dkim_domains.key (new file)
Paste in the following:
- Start/restart services; service dkim-filter restart; service dk-filter restart; service postfix restart (dkim went a bit funny for me here; may be better for dkim-filter and dk-filter to stop, then start them)
- To check the DNS is set up properly, go to http://domainkeys.sourceforge.net/selectorcheck.html and put in web1._domainkey.example.com, then go to http://dkimcore.org/tools/dkimrecordcheck.html and put in mail for the selector, and web1.domain.com for the domain name.
- To check it works; send an email to yahoo address, and check out View Full Header (under the cog button), you should find a line:
Authentication-Results: mta1066.mail.ird.yahoo.com from=example.com; domainkeys=pass (ok); from=web1.domain.com; dkim=pass (ok)
You’ll notice that DKIM and DomainKeys use different parts of the header for validation. DKIM is looking at the server name given by postfix, and DomainKeys is looking at the domain of the From address.
With the solution above, for every additional server sending emails from example.com, you’ll need to set up a DKIM record for the server hostname, and a DomainKeys record for example.com (with a separate selector).