[CentOS] Learn how DKIM works and how to install it!

Lawrence

Introduction to DKIM

You’re wondering how DKIM works? DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages' content are trustworthy, meaning that they weren't changed from the moment the a message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process. Once again the owners of the domain add a DNS entry with the public DKIM key which will be used by receivers to verify that the message DKIM signature is correct, while on the sender side the server will sign the entitled mail messages with the corresponding private key.

• when sending an outgoing message, the last server within the domain infrastructure checks against its internal settings if the domain used in the "From:" header is included in its "signing table". If not the process stops here
• a new header, called "DKIM-Signature", is added to the mail message by using the private part of the key on the message content
• from here on the message *main* content cannot be modified otherwise the DKIM header won't match anymore
• upon reception, the receiving server will make a TXT DNS query to retrieve the key used in the DKIM-Signature field
• the DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy

It works similarly to a SSL certificate. Within the server configuration, a private key is generated, which marks all outgoing email, while a public key is written in the domain DNS zone as a TXT, which deciphers the signature.
Update System

First things first. Like always, first of all, we recommend updating your server. Also, make sure you’re in a screen session:

screen -U -S opendkim-screen
yum update -y

Enabling EPEL Repository

OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKI:

wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh /tmp/epel-release-6-8.noarch.rpm
rm -f /tmp/epel-release-6-8.noarch.rpm

Installing OpenDKIM

Install the package using yum:

yum install opendkim -y

OpenDKIM configuration

The next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup:

cp /etc/opendkim.conf{,.orig}
nano /etc/opendkim.conf

and add/edit the following:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Setting Up Public/Private Keys

Generate a set of keys for your "your_domain.com" domain name:

mkdir /etc/opendkim/keys/your_domain.com
opendkim-genkey -D /etc/opendkim/keys/your_domain.com/ -d your_domain.com -s default
chown -R opendkim: /etc/opendkim/keys/your_domain.com
mv /etc/opendkim/keys/your_domain.com/default.private /etc/opendkim/keys/your_domain.com/default

add your_domain.com to OpenDKIM’s key table:

nano /etc/opendkim/KeyTable

by adding the following record:

default._domainkey.your_domain.com your_domain.com:default:/etc/opendkim/keys/your_domain.com/default

next, edit /etc/opendkim/SigningTable:

nano /etc/opendkim/SigningTable

and add the following record to OpenDKIM’s signing table:

*@your_domain.com default._domainkey.your_domain.com

and in /etc/opendkim/TrustedHosts:

nano /etc/opendkim/TrustedHosts

add your domain and your hostname as trusted hosts:

127.0.0.1
your_domain.com
your_servers_hostname.com

Adding the Public Key to The Domain's DNS Records

Next up is the DNS record setup. How you do this is again completely dependent on how you manage DNS or how it is managed for you - everyone's tools are different. Note that some registrars do not let you create raw TXT records with specific subdomains, which will prevent you from creating DKIM TXT records. If this is the case, then you will have to transfer your domain to a real registrar that lets you play with all the toys. Or you can simply use our DNS management system!

You can find information about your public key in /etc/opendkim/keys/your_domain.com/default.txt file:

cat /etc/opendkim/keys/your_domain.com/default.txt

Here is how it looks on our DNS management system:



If Using Postfix

In order to integrate OpenDKIM with Postfix we need to add the following few lines:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

in /etc/postfix/main.cf:

nano /etc/postfix/main.cf

Next is adding OpenDKIM to your system’s start-up and start opendkim and restart Postfix using the following commands:

service opendkim start
chkconfig opendkim on
service postfix restart

If Using EXIM

Set-up Exim to use OpenDKIM for signing the emails by editing /etc/exim/exim.conf:

nano /etc/exim/exim.conf

and adding the following to the remote_smtp transport:

remote_smtp:
        driver = smtp
        dkim_domain = $sender_address_domain
        dkim_selector = default
        dkim_private_key = ${if exists{/etc/opendkim/keys/$sender_address_domain/default}{/etc/opendkim/keys/$sender_address_domain/default}{0}}
        dkim_canon = relaxed
        dkim_strict = 0

restart Exim and Opendkim for the changes to take effect using:

service opendkim start
chkconfig opendkim on
service exim restart

Testing

First of all, give the DNS changes a chance to propagate before using them. The decent testing service is Mail Tester.
Now you have all the required information to know how and why setup DKIM. Keep your inbox clean and safe!

smziaurrashid

Hello,
While tried to install opendkim face following error:

Error: Package: opendkim-2.11.0-0.1.el6.x86_64 (epel)

           Requires: libmilter.so.1.0()(64bit)

 You could try using --skip-broken to work around the problem

** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:

sendmail-cf-8.14.4-9.el6_8.1.noarch has missing requires of sendmail = ('0', '8.14.4', '9.el6_8.1')

Roman

Hello,

Try this command to install OpenDKIM:

yum install opendkim opendkim-tools --enablerepo=clearos-centos

mohamed89

Is this tutorial still work  i followed all steps but all mails sent without dkim signature and my public key is in my domains dns now 

I get this error to with opendkim when I use this command 
systemctl  status opendkim

systemd[1]: PID file /var/run/opendkim/opendkim.pid not readable (yet?) after start.

Valentine

Yes, this tutorial should work. You could try specifying PidFile file in config /etc/opendkim.conf :

PidFile                 /var/run/opendkim/opendkim.pid

mohamed89

first thanks for your answer Valentine i am already use the same opendkim configuration in this tutorial 
and i am sure that pidfile line is in opendkim.conf but still all  mails without dkim and this error too 

systemd[1]: PID file /var/run/opendkim/opendkim.pid not readable (yet?) after start.