Complete Guide to DKIM Setup

Master DKIM (DomainKeys Identified Mail) implementation to protect your domain from email tampering and improve deliverability. Learn how to generate keys, create records, and maintain effective DKIM configuration.

DKIM Overview

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to emails, allowing recipients to verify that the email was indeed sent and authorized by the domain owner.

Why DKIM Matters
  • Prevents email tampering during transit
  • Improves email deliverability rates
  • Protects your domain reputation
  • Builds trust with email providers
  • Essential for modern email security

DKIM Key Generation

Creating DKIM keys is the first step in implementing DKIM authentication.

Key Generation Process
Using OpenSSL to Generate DKIM Keys:
# Generate private key
openssl genrsa -out dkim-private.key 2048

# Generate public key
openssl rsa -in dkim-private.key -pubout -out dkim-public.key
  • Key Components:
    • Private Key - Kept secure on your mail server
    • Public Key - Published in DNS
    • Selector - Unique identifier for key pair
Important: Key Security

Keep your private key secure and never share it. The public key is what gets published in your DNS records.

DKIM Record Creation

Creating an effective DKIM record requires proper formatting and DNS configuration.

DKIM Record Structure
selector._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
  • Record Components:
    • v=DKIM1 - Version identifier
    • k=rsa - Key type (RSA)
    • p= - Public key data
    • s=email - Service type (optional)
    • t=y - Testing mode (optional)
DKIM Record Examples
# Basic DKIM record
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

# DKIM record with additional parameters
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...; s=email; t=y"

Testing & Validation

Regular testing ensures your DKIM configuration remains effective and properly configured.

Testing Methods
  • DNS Record Validation
    • Verify DKIM record syntax
    • Check public key format
    • Validate selector configuration
  • Email Testing
    • Send test emails from your domain
    • Verify DKIM signatures in headers
    • Test with different email clients
  • Monitoring Tools
    • Use MailTester.app for comprehensive testing
    • Monitor DKIM authentication rates
    • Track deliverability metrics

Common Issues & Solutions

Troubleshooting Guide
  • Common Problems:
    • Key mismatch between private and public keys
    • Incorrect DNS record format
    • Selector configuration issues
    • Mail server configuration problems
    • Key rotation complications
  • Solutions:
    • Verify key pair generation process
    • Validate DNS record syntax
    • Check mail server DKIM signing configuration
    • Implement proper key rotation procedures
    • Use testing tools to verify setup

Best Practices

DKIM Implementation Checklist
  • Key Management
    • Use 2048-bit RSA keys
    • Implement key rotation procedures
    • Secure private key storage
    • Maintain backup keys
  • Configuration
    • Use meaningful selectors
    • Configure proper signing algorithms
    • Set appropriate key rotation periods
    • Monitor signing rates
Pro Tips
  • Always test new keys before deployment
  • Document your key rotation schedule
  • Use MailTester.app for pre-flight testing
  • Consider implementing multiple selectors
  • Regularly audit your DKIM configuration

Mail Server Configuration

Learn how to configure DKIM signing on popular mail servers to implement your DKIM setup.

Setting up DKIM with OpenDKIM and Postfix
1. Install Required Packages:
# Debian/Ubuntu
sudo apt-get install opendkim opendkim-tools

# CentOS/RHEL
sudo yum install opendkim
2. Configure OpenDKIM:
# Create directory for keys
sudo mkdir -p /etc/opendkim/keys/yourdomain.com

# Move your private key
sudo mv dkim-private.key /etc/opendkim/keys/yourdomain.com/selector.private

# Set proper permissions
sudo chown -R opendkim:opendkim /etc/opendkim/keys
sudo chmod 600 /etc/opendkim/keys/yourdomain.com/selector.private
3. OpenDKIM Configuration (/etc/opendkim.conf):
# Basic settings
Syslog                  yes
UMask                   002
Canonicalization        relaxed/simple
Mode                    sv
SubDomains             no
Socket                 local:/var/spool/postfix/opendkim/opendkim.sock
PidFile                /run/opendkim/opendkim.pid
SignatureAlgorithm     rsa-sha256

# Signing configuration
Domain                  yourdomain.com
Selector               selector
KeyFile                /etc/opendkim/keys/yourdomain.com/selector.private
4. Postfix Integration (/etc/postfix/main.cf):
# DKIM configuration
milter_protocol = 6
milter_default_action = accept
smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock
non_smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock
5. Start and Enable Services:
# Create socket directory
sudo mkdir -p /var/spool/postfix/opendkim
sudo chown opendkim:opendkim /var/spool/postfix/opendkim

# Start services
sudo systemctl start opendkim
sudo systemctl restart postfix

# Enable services
sudo systemctl enable opendkim
sudo systemctl enable postfix

Setting up DKIM with Exim4
1. Install Required Packages:
# Debian/Ubuntu
sudo apt-get install exim4-daemon-heavy exim4-config
2. Configure DKIM Keys:
# Create directory for keys
sudo mkdir -p /etc/exim4/dkim

# Move your private key
sudo mv dkim-private.key /etc/exim4/dkim/yourdomain.com.selector.key

# Set proper permissions
sudo chown -R Debian-exim:Debian-exim /etc/exim4/dkim
sudo chmod 640 /etc/exim4/dkim/yourdomain.com.selector.key
3. Exim4 DKIM Configuration (/etc/exim4/conf.d/main/00_local_macros):
# DKIM configuration
DKIM_CANON = relaxed
DKIM_SELECTOR = selector
DKIM_DOMAIN = yourdomain.com
DKIM_PRIVATE_KEY = /etc/exim4/dkim/${dkim_domain}.${dkim_selector}.key
DKIM_SIGN_HEADERS = From:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Reply-To:List-Unsubscribe

# Enable DKIM signing
TRANSPORT_FILTER = /usr/lib/dkim-filter/dkim-filter -d ${dkim_domain} -k ${dkim_private_key} -s ${dkim_selector} -c ${dkim_canon}
4. Configure Transport (/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp):
remote_smtp:
  driver = smtp
  transport_filter = /usr/lib/dkim-filter/dkim-filter -d ${dkim_domain} -k ${dkim_private_key} -s ${dkim_selector} -c ${dkim_canon}
  transport_filter_timeout = 4h
5. Restart Exim4:
# Update Exim4 configuration
sudo update-exim4.conf

# Restart Exim4
sudo systemctl restart exim4
Testing Your Exim4 DKIM Setup
# Send a test email
echo "Test DKIM" | mail -s "DKIM Test" [email protected]

# Check Exim4 logs
sudo tail -f /var/log/exim4/mainlog
Important Notes
  • Always backup your configuration files before making changes
  • Test your configuration in a staging environment first
  • Monitor your mail logs after implementation
  • Use MailTester.app to verify your DKIM signatures
  • Keep your private keys secure and regularly rotate them