Skip to main content

DKIM Signing for postfix mail server Ubuntu Server 12.04


DomainKeys Identified Mail (DKIM)

  Lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
In essence, it will help you to avoid going your mail into spam. Follow each steps remember to change with your domain.
And selector with your selector(ie, any text).

1.Login to root and install opendkim

sudo su
   sudo apt-get install opendkim opendkim-tools

2.Making directory and generating keys

mkdir /etc/opendkim/
   cd /etc/opendkim
-s means selector so change the word after it we have to chose a selector, here selector
-d means domain so change the word after it as our need,here
opendkim-genkey -s selector -d 

thus two files selector.txt selector.private are created

3.Adding user and making appropriate permissions

To check user a user ‘opendkim’ exists or not
grep opendkim /etc/passwd
Now run this also
chmod 700 /var/run/opendkim
If user is not already there we have to add the user
useradd -r -g opendkim -G mail -s /sbin/nologin -d /var/run/opendkim -c "OpenDKIM" opendkim
Change ownership to opendkim
chown opendkim:opendkim selector.private
To check the ownership of any file use also may use
ls -la /etc/opendkim | grep selector

4.Publishing DNS Record

cat selector.txt
On typing above command, you get a result like  this
selector._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBabe8HHbcFfCIIVty76o4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB" ; ----- DKIM key mail for
Add TXT record from your hosting websites (for example, digitalocean’s) control panel.  A
. In our case, copy
in name field copy the text included in “” (including “) to text field from above result. A selector mail is shown in example given below
To check the status of dns // or you can use
dig txt  +short 
Test the key with server
opendkim-testkey -d -s selector -k selector.private -vvv

5.Edit the OpenDKIM configuration file

cp /etc/opendkim.conf /etc/opendkim.conf.bk
nano /etc/opendkim.conf
cat /etc/opendkim.conf
On entering above command you can see my configuratoin of opendkim, # is used to comment
# Log to syslog
Syslog         yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask          022
# Sign for with key in /etc/mail/dkim.key using
# selector '2007' (e.g.
#KeyFile     /etc/opendkim/key1.private 
#Selector     key1
# Commonly-used options; the commented-out versions show the defaults.
Canonicalization     relaxed/simple
Mode             sv #s sign v verify
SubDomains          yes
#ADSPDiscard          no
# Log to syslog
Syslog              yes
SyslogSuccess          yes
LogWhy              yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask              022
UserID              opendkim:opendkim
KeyTable          /etc/opendkim/key
SigningTable          refile:/etc/opendkim/sign
ExternalIgnoreList     refile:/etc/opendkim/TrustedHosts
InternalHosts         refile:/etc/opendkim/TrustedHosts
# Hashing Algorithm
SignatureAlgorithm     rsa-sha256
Socket             inet:8891@localhost
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders      From
# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)
PidFile         /var/run/opendkim/ AutoRestart         Yes AutoRestartRate     10/1h #ATPSDomains #EOF

5.Working with text files (TrustedHosts,SigningTable,KeyTable)

Edit /etc/default/opendkim: Uncomment this row and use port 8891:

SOCKET="inet:8891@localhost" # listen on loopback on port

To allow connection through firewall
sudo iptables -A INPUT -i lo -j ACCEPT

Now create a file
nano /etc/opendkim/key

 And add the line

Create another file
nano /etc/opendkim/TrustedHosts

And add the following lines 
* #(IP address of your server, if applicable)

Create another file
nano /etc/opendkim/sign

And add the following line at end

Take a backup of postfix configuration file, which may be useful incase any errors.
cp /etc/postfix/ /etc/postfix/

Edit /etc/postfix/ and add the lines to the end

nano /etc/postfix/
milter_default_action = accept 
milter_protocol = 2 

6.Restart opendkim and postfix

service opendkim restart
service postfix restar
#also use service postfix status to check the status


#you can look at logs, THIS HIGHLY USEFUL
vim /var/log/mail.log
vim /var/log/mail.err

Now if we want many domains

Do replace and selector for each domains
What we have to do is to
1. generate one more key
sudo su
cd /etc/opendkim
opendkim-genkey -s [selector] -d 
# replace both [selector] and with new selector and domain name
2. Change permission of generated key file
chown opendkim:opendkim [selector].private #[selector] we used in above step
3.add the details in TrustedHosts,SigningTable,KeyTable
Create the file
nano /etc/opendkim/key
And add the following line at end
Create the file
nano /etc/opendkim/sign
And add the following line
Create the file
nano /etc/TrustedHosts
And add the following line
Also remember to restart opendkim and postfix each time.
service opendkim restart
sevice postfix restart
Finally send
or use
to check the status of DKIM Signing by sending mails to these.

(i started with this, then followed his reference )
(I think the best tutorial but on centos)
(TXT related portion is misleading)

Popular posts from this blog

How to run android apk in your Google Chrome browser with Google's ARC

Google's plan on merging android with ChromeOS is on the way.

What you need is

1. Google Chrome 41+. It works on PC,Linux,Mac.
Or Chromebook on Chrome Version 41+.
2. You apk files to run
3. The ARC Welder app

1. To get chrome

In ubuntu/debian you can install *.deb file by

sudo dpkg -i google*.deb
In fedora/ RedHat Linux 

rpm -ivh google*.rpm
2. To get your apk files
Either use
Or some sites like

3. Go to The ARC Welder app.And install it from Google Chrome browser.

I used this game (2048) for testing.

This is the result i got.

NB:- There is a limitation. It's is only possible to do one app at time

I tested on Ubuntu 14.04 and Fedora 21.


How to install python and configure django on a CentOS 6.7 Linux server with CPanel?

I recently had a chance to play with CentOS 6.7 server. My task was to re-install(reconfigure) run a Django site on it. Actually it was done by my around 2 years before. Then some system admin guy updated the system (especially PHP related stuff), and essentially he screwed up my (ie. I worked tm.) django website. I had lost the track on installing those things. So I would like to share my experience on reaching the point.

First of all I tried to locate the apache config file. My initial thoughts were about this file.
/etc/apache2/apache.conf I roamed here and there, to get some idea about the system.Here are my commands which I use these sort of tasks.
which httpd which apache which apache2 type httpd locate apache.conf locate httpd.conf whatis httpd  Sure, You should use man pages to get more info of these commands like which,type and locate. Try `man man` to know what man is.

Anyway, I got some ideas regarding where the conf files lies, especially with the help of locate command


AndroVMPlayer : Improved Android Virtual Machine

AndroiVMPlayer is built on on VirtualBox it provides a performance increase to our installed Android (AndroVM's built in Android Virtual Machine, see Official Page )

What you want to do is just install Android as i mentioned in the post (AndroVM).

Just extract the zip file into a place where you like. (Zip 32-bit, Zip 64-bit Download appropriate version for your operating System).

Right click on AndroiVMPlayer.exe , then from the menu, Send To > Desktop (Create Shortcut) .

Now on Desktop there will be a icon

 Running the AndroVMPlayer Now right click on it and Run it as Admin