Debian Tutorials

Debian Tutorials

Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

July 2024


Setup DomainKeys Identified Mail (DKIM) in Postfix

Ástþór IPÁstþór IP

DomainKeys Identified Mail (DKIM) is a method for email authentication that allows an organization to take responsibility for a message it has sent in a way that can be validated by a recipient. The technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a digital signature to a message’s header, the DKIM-Signature header field. The verifier recovers the signer’s public key using the DNS, and then verifies that the signed parts have not been altered.

1. Install DKIM filter

apt-get install dkim-filter

2. Create a key for each domain verified

mkdir -p /etc/dkim/keys/
cd /etc/dkim/keys/
dkim-genkey -r -d

Replace with the domain that this mail server should authenticate using DKIM

3. Add a line for each domain to dkim-keys.conf file (pico /etc/dkim-keys.conf)


Replace with the domain that this mail server should authenticate using DKIM

4. Add a TXT record to the DNS for the domain being authenticated using DKIM. The record is automatically created and stored in /etc/dkim/keys/ You just need to add it to the DNS server. (cat /etc/dkim/keys/

Here’s a sample output:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8IQNYlS+8jyrbAxNsghsPrWYgOQQWI0Ab4e9MToZYLTBGI41V3Zet5Awrt19nMIUlTpuE+/YVnjP/pu3fgeYkoe6NUzp+oEcWAioQXBmx0njigac7iJ/I0naTP1xTrDacnwsTp/F+lMwGgjiHpaJA7iBmL0AfYMXlTBo5pFog2QIDAQAB" ; ----- DKIM default for

Repeat steps 2, 3 and 4 for every domain that this server should authenticate using DKIM.

5. Uncomment line 37 to make DKIM filter use the dkim-keys.conf file to look up domains available (pico /etc/dkim-filter.conf)

KeyList /etc/dkim-keys.conf

6. Add a inet socket that Postfix can communicate with (pico /etc/default/dkim-filter)


7. Restart DKIM filter

/etc/init.d/dkim-filter restart

8. Configure Postfix to query DKIM filter using the socket created earlier. Add these lines to (pico /etc/postfix/

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

9. Reload Postfix config

postfix reload

Comments 11
  • Larry
    Posted on

    Larry Larry


    Awesome tutorial.

  • Guillermo Cruz
    Posted on

    Guillermo Cruz Guillermo Cruz


    In step 2 at end you should rename default.private to default. So the key refers correctly to instead of when the DKIM test is performed

  • Ashrocks
    Posted on

    Ashrocks Ashrocks


    Does it work for ZIMBRA too.

    I tried but it failed to start.

    I am running postfix from zimbra installation.

    Please let me know if i’m doing anything wrong.

    My error log is given below.

    Restarting DKIM Filter: No /usr/sbin/dkim-filter found running; none killed.
    dkim-filter: /etc/dkim/keys/ open(): No such file or directory

    dkim-filter: /etc/dkim-filter.conf: key load from /etc/dkim-kets/conf failed

    Starting for DKIM verification only
    dkim-filter: /etc/dkim/keys/ No such file or directory

    dkim-filter: /etc/dkim-filter.conf: ket load from /etc/dkim-keys.conf failed.

    I followed Cruz instructions to not use default.private.

    ANy help is highly appreciated .


  • Ashrocks
    Posted on

    Ashrocks Ashrocks


    In my previous comment it was indeed

    dkim-filter: /etc/dkim-filter.conf: key load from /etc/dkim-keys/conf failed.

    Just a typographical error while writing here…

    Any help please come to my rescue.


  • Sean
    Posted on

    Sean Sean


    Uncomment Line 37? Of what file? Is something missing there?

  • Nick
    Posted on

    Nick Nick


    @Sean: Probably in “/etc/dkim-filter.conf” since that’s what the text says 😉

  • buddy
    Posted on

    buddy buddy


    thanks for the help buddy, good luck

  • Dan MacNeil
    Posted on

    Dan MacNeil Dan MacNeil


    actually with debian squeeze the txt record should be: 3 IN TXT “v=DKIM1; g=*; k=rsa; p=…”

  • Dan MacNeil
    Posted on

    Dan MacNeil Dan MacNeil


    Also a good way to check everything is working:

  • Max
    Posted on

    Max Max


    Thanks for a great tutorial, however for me it required some additional googling before getting everything to work. In this blog post is how I got it to work (credit to you in the end):

  • leToff
    Posted on

    leToff leToff


    Thanks for that tuto. I had a problem with my first domain in the dkim-keys.conf file and guess what, the file was an UTF-8 type with a BOM instead of plain Asci…
    Jeeez, I almost have no more hair !