Master DKIM (DomainKeys Identified Mail) implementation to protect your domain from email tampering and improve deliverability. Learn how to generate keys, create records, and maintain effective DKIM configuration.
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to emails, allowing recipients to verify that the email was indeed sent and authorized by the domain owner.
Creating DKIM keys is the first step in implementing DKIM authentication.
# Generate private key
openssl genrsa -out dkim-private.key 2048
# Generate public key
openssl rsa -in dkim-private.key -pubout -out dkim-public.key
Keep your private key secure and never share it. The public key is what gets published in your DNS records.
Creating an effective DKIM record requires proper formatting and DNS configuration.
selector._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
v=DKIM1
- Version identifierk=rsa
- Key type (RSA)p=
- Public key datas=email
- Service type (optional)t=y
- Testing mode (optional)# Basic DKIM record
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
# DKIM record with additional parameters
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...; s=email; t=y"
Regular testing ensures your DKIM configuration remains effective and properly configured.
Learn how to configure DKIM signing on popular mail servers to implement your DKIM setup.
# Debian/Ubuntu
sudo apt-get install opendkim opendkim-tools
# CentOS/RHEL
sudo yum install opendkim
# Create directory for keys
sudo mkdir -p /etc/opendkim/keys/yourdomain.com
# Move your private key
sudo mv dkim-private.key /etc/opendkim/keys/yourdomain.com/selector.private
# Set proper permissions
sudo chown -R opendkim:opendkim /etc/opendkim/keys
sudo chmod 600 /etc/opendkim/keys/yourdomain.com/selector.private
# Basic settings
Syslog yes
UMask 002
Canonicalization relaxed/simple
Mode sv
SubDomains no
Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
# Signing configuration
Domain yourdomain.com
Selector selector
KeyFile /etc/opendkim/keys/yourdomain.com/selector.private
# DKIM configuration
milter_protocol = 6
milter_default_action = accept
smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock
non_smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock
# Create socket directory
sudo mkdir -p /var/spool/postfix/opendkim
sudo chown opendkim:opendkim /var/spool/postfix/opendkim
# Start services
sudo systemctl start opendkim
sudo systemctl restart postfix
# Enable services
sudo systemctl enable opendkim
sudo systemctl enable postfix
# Debian/Ubuntu
sudo apt-get install exim4-daemon-heavy exim4-config
# Create directory for keys
sudo mkdir -p /etc/exim4/dkim
# Move your private key
sudo mv dkim-private.key /etc/exim4/dkim/yourdomain.com.selector.key
# Set proper permissions
sudo chown -R Debian-exim:Debian-exim /etc/exim4/dkim
sudo chmod 640 /etc/exim4/dkim/yourdomain.com.selector.key
# DKIM configuration
DKIM_CANON = relaxed
DKIM_SELECTOR = selector
DKIM_DOMAIN = yourdomain.com
DKIM_PRIVATE_KEY = /etc/exim4/dkim/${dkim_domain}.${dkim_selector}.key
DKIM_SIGN_HEADERS = From:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Reply-To:List-Unsubscribe
# Enable DKIM signing
TRANSPORT_FILTER = /usr/lib/dkim-filter/dkim-filter -d ${dkim_domain} -k ${dkim_private_key} -s ${dkim_selector} -c ${dkim_canon}
remote_smtp:
driver = smtp
transport_filter = /usr/lib/dkim-filter/dkim-filter -d ${dkim_domain} -k ${dkim_private_key} -s ${dkim_selector} -c ${dkim_canon}
transport_filter_timeout = 4h
# Update Exim4 configuration
sudo update-exim4.conf
# Restart Exim4
sudo systemctl restart exim4
# Send a test email
echo "Test DKIM" | mail -s "DKIM Test" [email protected]
# Check Exim4 logs
sudo tail -f /var/log/exim4/mainlog