Debian Tutorials

Debian Tutorials

Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

March 2021
« Apr    


Setup DomainKeys Identified Mail (DKIM) in Postfix

Ástþór IPÁstþór IP

DomainKeys Identified Mail (DKIM) is a method for email authentication that allows an organization to take responsibility for a message it has sent in a way that can be validated by a recipient. The technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a digital signature to a message’s header, the DKIM-Signature header field. The verifier recovers the signer’s public key using the DNS, and then verifies that the signed parts have not been altered.

1. Install DKIM filter

apt-get install dkim-filter

2. Create a key for each domain verified

mkdir -p /etc/dkim/keys/
cd /etc/dkim/keys/
dkim-genkey -r -d

Replace with the domain that this mail server should authenticate using DKIM

3. Add a line for each domain to dkim-keys.conf file (pico /etc/dkim-keys.conf)


Replace with the domain that this mail server should authenticate using DKIM

4. Add a TXT record to the DNS for the domain being authenticated using DKIM. The record is automatically created and stored in /etc/dkim/keys/ You just need to add it to the DNS server. (cat /etc/dkim/keys/

Here’s a sample output:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8IQNYlS+8jyrbAxNsghsPrWYgOQQWI0Ab4e9MToZYLTBGI41V3Zet5Awrt19nMIUlTpuE+/YVnjP/pu3fgeYkoe6NUzp+oEcWAioQXBmx0njigac7iJ/I0naTP1xTrDacnwsTp/F+lMwGgjiHpaJA7iBmL0AfYMXlTBo5pFog2QIDAQAB" ; ----- DKIM default for

Repeat steps 2, 3 and 4 for every domain that this server should authenticate using DKIM.

5. Uncomment line 37 to make DKIM filter use the dkim-keys.conf file to look up domains available (pico /etc/dkim-filter.conf)

KeyList /etc/dkim-keys.conf

6. Add a inet socket that Postfix can communicate with (pico /etc/default/dkim-filter)

SOCKET="inet:[email protected]"

7. Restart DKIM filter

/etc/init.d/dkim-filter restart

8. Configure Postfix to query DKIM filter using the socket created earlier. Add these lines to (pico /etc/postfix/

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

9. Reload Postfix config

postfix reload

Comments 11
  • Larry
    Posted on

    Larry Larry


    Awesome tutorial.

  • Guillermo Cruz
    Posted on

    Guillermo Cruz Guillermo Cruz


    In step 2 at end you should rename default.private to default. So the key refers correctly to instead of when the DKIM test is performed

  • Ashrocks
    Posted on

    Ashrocks Ashrocks


    Does it work for ZIMBRA too.

    I tried but it failed to start.

    I am running postfix from zimbra installation.

    Please let me know if i’m doing anything wrong.

    My error log is given below.

    Restarting DKIM Filter: No /usr/sbin/dkim-filter found running; none killed.
    dkim-filter: /etc/dkim/keys/ open(): No such file or directory

    dkim-filter: /etc/dkim-filter.conf: key load from /etc/dkim-kets/conf failed

    Starting for DKIM verification only
    dkim-filter: /etc/dkim/keys/ No such file or directory

    dkim-filter: /etc/dkim-filter.conf: ket load from /etc/dkim-keys.conf failed.

    I followed Cruz instructions to not use default.private.

    ANy help is highly appreciated .


  • Ashrocks
    Posted on

    Ashrocks Ashrocks


    In my previous comment it was indeed

    dkim-filter: /etc/dkim-filter.conf: key load from /etc/dkim-keys/conf failed.

    Just a typographical error while writing here…

    Any help please come to my rescue.


  • Sean
    Posted on

    Sean Sean


    Uncomment Line 37? Of what file? Is something missing there?

  • Nick
    Posted on

    Nick Nick


    @Sean: Probably in “/etc/dkim-filter.conf” since that’s what the text says 😉

  • buddy
    Posted on

    buddy buddy


    thanks for the help buddy, good luck

  • Dan MacNeil
    Posted on

    Dan MacNeil Dan MacNeil


    actually with debian squeeze the txt record should be: 3 IN TXT “v=DKIM1; g=*; k=rsa; p=…”

  • Dan MacNeil
    Posted on

    Dan MacNeil Dan MacNeil


    Also a good way to check everything is working:

  • Max
    Posted on

    Max Max


    Thanks for a great tutorial, however for me it required some additional googling before getting everything to work. In this blog post is how I got it to work (credit to you in the end):

  • leToff
    Posted on

    leToff leToff


    Thanks for that tuto. I had a problem with my first domain in the dkim-keys.conf file and guess what, the file was an UTF-8 type with a BOM instead of plain Asci…
    Jeeez, I almost have no more hair !