Posts tagged ‘dkim’

DKIM is used to ensure that mail that says it comes from my domains actually does. You do this by adding an entry to your DNS server (with your public key in it), and then outgoing email is signed (with your private key) using a mail filter (aka milter). I’m using CentOS 5.4 64bit and sendmail.

First a few dependencies:

sudo yum install openssl openssl-devel sendmail sendmail-cf sendmail-devel

Step 1. Install the DKIM milter

Download dkim-milter from sourceforge

mkdir ~/dkim
cd ~/dkim
tar xf dkim-milter-2.8.3.tar.gz
cd dkim-milter-2.8.3
cp site.config.m4.dist devtools/Site/site.config.m4
sh Build
sudo sh Build install

Step 2. Generate the private key

cd ~/dkim
openssl genrsa -out rsa.private 1024
openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
mkdir /var/db/dkim
mv rsa.private /var/db/dkim/mail.key.pem

Step 3. Create the DNS entry.

3a. Add the entry for the public key

I’m using tinydns (actually VDNS but same thing).
You need a TXT entry for the domain that looks something like:

k=rsa; p=MIGfMA0…AQAB

I used a tool at:

to make my entry (for tinydns)\341k=rsa;\040p=AMIGfMA0GCS...AQABS:86400

(where p= is your public key (rsa.public), and the “mail” in mail._domainkey… matches the mail in mail.key.pem in the instructions in Step 2)

In bind it would look something like this: IN TXT “k=rsa; p=AMIGfMA0GCS…AQABS”

Step 3b. Set up the signing practice (ADSP)

Add a TXT record to the domain, to indicate how the emails will be sent. There are three options. dkim={unknown|all|discardable}

unknown Means that the email from this domain might be signed. (could be some/all or none of the emails). This is useful if you send email from home via your ISP.

all Means that all email will be signed.

discardable Means all email will be signed, and if the email is received without it, the recipient should discard it.

I’m going for dkim=all, so my DNS entry is:


Step 4. Setup the mail filter (milter)

sudo adduser -r dkim -s /bin/false
echo > /etc/dkim.conf '
Canonicalization simple
KeyFile /var/db/dkim/mail.key.pem
Selector mail
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
Syslog Yes
Userid dkim

#start the filter:
/usr/sbin/dkim-filter -x /etc/dkim.conf
#add the above line to /etc/rc.d/rc.local
echo '/usr/sbin/dkim-filter -x /etc/dkim.conf' >> /etc/rc.d/rc.local

edit /etc/mail/ and add the following line:

INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost')

And then rebuild/restart sendmail

cd /etc/mail
/etc/rc.d/init.d/sendmail restart

Step 5. Testing

Send an email to your gmail account, and then view the headers, google will tell you if you got it right, or check out the link at, they have an autoresponder.