Installing DKIM and DomainKeys for postfix on Ubuntu 10.04

From address:

Aim: validate DKIM and DomainKeys for this email address sending from this server.

Requirements: access to enter TXT DNS records for and, and root access to server.

  1. apt-get install dkim-filter; apt-get install dk-filter
  2. vi /etc/dkim-filter.conf
    Uncomment UMask
    Uncomment Domain, and set to “*” (without quotation marks)
    Underneath Domain, create the following “KeyList    /etc/mail/dkim_domains.key”
    Uncomment Selector and set to “mail”
    You can also uncomment AutoRestart if you want and set to “yes”, and Statistics
    Do not uncomment Version – it’s not a valid setting
    Save and close
  3. vi /etc/postfix/
    Append the following:
    # DKIM & DomainKeys
    milter_default_action = accept
    milter_protocol = 2
    smtpd_milters = inet:localhost:8891,inet:localhost:8892
    non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
  4. cd /etc/mail
  5. dkim-genkey -t -s mail -d (dkim key)
  6. openssl genrsa -out domainkey.key 1024 (domainkeys private key)
  7. openssl rsa -in domainkey.key -out -pubout -outform pem (domainkeys public key)
  8. mv mail.private mail
  9. vi /etc/default/dk-filter
    Uncomment out DAEMON_OPTS and SOCKET and set them like so:
    DAEMON_OPTS=”$DAEMON_OPTS -d t -s /etc/mail/domainkey.key -S web1″ (the selector here is web1; this is because the DNS record has to go on for DomainKeys, so for every server you want to send mail for you’ll need a seperate record)
  10. Open up mail.txt; you need to create the DNS record for DKIM for from this.  I use a managed DNS service for, so I put “mail._domainkey.web1” in the subdomain/selector, and paste the bit in quotes as the record content.  Notice the mail.txt file does not have the domain appended, but I’ve added my subdomain web1 in my record.
  11. Make two more DNS records, this time on
    _domainkey IN TXT “t=y; o=~;”
    web1._domainkey IN TXT “k=rsa; t=y; p=<INSERT KEY FROM DOMAINKEYS.PUB HERE>”
  12. vi /etc/mail/dkim_domains.key  (new file)
    Paste in the following:
  13. Start/restart services; service dkim-filter restart; service dk-filter restart; service postfix restart (dkim went a bit funny for me here; may be better for dkim-filter and dk-filter to stop, then start them)
  14. To check the DNS is set up properly, go to and put in, then go to and put in mail for the selector, and for the domain name.
  15. To check it works; send an email to yahoo address, and check out View Full Header (under the cog button), you should find a line:
    Authentication-Results:; domainkeys=pass (ok);; dkim=pass (ok)


You’ll notice that DKIM and DomainKeys use different parts of the header for validation.  DKIM is looking at the server name given by postfix, and DomainKeys is looking at the domain of the From address.

With the solution above, for every additional server sending emails from, you’ll need to set up a DKIM record for the server hostname, and a DomainKeys record for (with a separate selector).

Leave a Reply

Your email address will not be published. Required fields are marked *