Want to verify the sender of that e-mail? Here’s how to set up DKIM signing on your server

In the business world, signatures are an essential element of every legally binding document. You can’t enforce an unsigned contract, cash an unsigned cheque, complete contracts of sale or business deals without signatures.

Just about every other document, including even the business accounts before filling them, require an authorised signature. Communication documents are no different: with memos and circulars often being signed.

A signature is a sign of endorsement, understanding or proof that you have either read or written the signed document. For important documents such as withdrawal slips in banks, a specimen signature on file is used to verify that the signature is authentic.

Following the same model, DKIM (DomainKeys Identified Mail), makes use of a pair of private and public keys to electronically sign mail. Any server implementing DKIM can, therefore, verify that the email came from the origin that it purports to come from. A special DNS record is set up with a public key which can be used by receiving servers to verify if the emails are indeed coming from authorised servers.

There are therefore two ways of implementing DKIM. Either as a sending server where emails are signed using a private key stored on the server. Or as a receiving MTA where the origin of emails is verified using DKIM and treated according to the sending MTA’s official DMARC policy. The setup below covers both.

We will look at how you can configure your email server to sign your outgoing emails using DKIM. As always we will be assuming that you are using Postfix as your MTA on an Ubuntu server running Trusty.

There are too many ways of doing this it would be exhausting to outline them all on other platforms. We are also assuming you already know how to access your server using SSH, have already set up SPF records and the PTR record is set with a matching FQDN. Most importantly we are assuming your email server only handles mail for one domain thus it only needs one key pair for signing email for that domain. For multiple domains see this guide instead.

  • Install OpenDKIM using the following commands (you can copy and paste them):
    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo apt-get install opendkim opendkim-tools
  • Open DKIM’s main configuration file using the command:
    sudo nano /etc/opendkim.conf
  • Append the following lines at the end of the file and save it:
    #I admit @gdzoma is smarter than me
    Domain             chidomainchangu.co.zw
    KeyFile            /etc/postfix/makii/dkim.key
    Selector           siginicha
    Socket    inet:12301@localhost
  • Now we need to connect the OpenDKIM milter(mail filter) to do issue the command:
    sudo nano /etc/default/opendkim
  • Add the following line to the file and save it:
    SOCKET="inet:12301@localhost"
  • Configure Postfix to use the milter:
    sudo nano /etc/postfix/main.cf
  • Look for the following lines and make sure that they are not commented i.e. the do not begin with a # un-comment them if necessary:
    milter_protocol = 2
    milter_default_action = accept
  • Add the following lines to the configuration file:
    #Email dzese ngadzisainwe
    smtpd_milters = inet:localhost:12301
    non_smtpd_milters = inet:localhost:12301
  • Please note if there are other milters just add the DKIM milter after a comma for example if you already use assassin and the smtpd_milters and non_smtpd_milters lines already exist just add to them as below.
    smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
    non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
  • Create a directory to hold the DKIM baggage and move into that directory:
    sudo mkdir -p /etc/postfix/makii
    cd /etc/postfix/makii
  • Generate the domain key pair for DKIM using the following commands (make sure to change chidomainchangu.co.zw to your own domain):
    MYDOMAIN=chidomainchangu.co.zw
     opendkim-genkey -t -s mail -d $MYDOMAIN
  • In the folder /etc/postfix/makii there will be a file named default.txt open and copy the contents of the folder and use them to create a TXT record for example if the contents are:
    siginicha._domainkey.chidomainchangu.co.zw IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC65tv6LhAbbrqcwgyBaC
    x50scjedj357we9SJdff6VHOKDYgU/kvuV2rQiedHjtJDPuFJIwoNqh8pbIWxcZ8J2FhVhXU1QWdBmOQ/w61jfsyVAMrX/SrcJAd/1
    XHYcS4o3uIOV7jICVOJLiYW5wjYLvWpPoraQzQE1Npjlsx2T5QIDAQAB" ; ----- DKIM key default for chidomainchangu.co.zw
  • You create a TXT record for a subdomain named
    siginicha._domainkey.chidomainchangu.co.zw

    and the value field set to

    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC65tv6LhAbbrqcwgyBaC
    x50scjedj357we9SJdff6VHOKDYgU/kvuV2rQiedHjtJDPuFJIwoNqh8pbIWxcZ8J2FhVhXU1QWdBmOQ/w61jfsyVAMrX/SrcJAd/1
    XHYcS4o3uIOV7jICVOJLiYW5wjYLvWpPoraQzQE1Npjlsx2T5QIDAQAB"

    including the quotation marks and the TTL set to something appropriate for example 3200.

  • Please note your  own value will certainly be different, use the contents of this file, do not copy and paste the above. You will rue the day you do this.
  • Restart postfix and DKIM:
    sudo service opendkim restart
    sudo service postfix restart
  • Send an email to your Gmail Account, open the email and click on the from tab and you should see a field that says signed by.

That wasn’t so hard now was it? As always leave your comments, ideas and improvements below.

Image credit: documentexperts.net

,

2 comments

  1. Anonymous

    not bad:)

  2. Martin

    This method works if you are not a service provider, because considering you host 500+ domains , it will be an overkill… very helpful though.still thinking of other means of securing my SMTP outbound servers.

    My personal 2 cents , If you are hosting multiple domains ,then security should be incorporated from the initial design of your SMTP server gateways ,otherwise you wont keep up

Join Waitlist We will inform you when the product arrives in stock. Please leave your valid email address below.
Exit mobile version