179 Comments


  1. Cata

    Hy,

    very nice tutorial, the best i found.
    I have a little problem if you can help. “opendkim no signature data” and I don’t understand why. In trusted-hosts I have 127.0.0.1/8 and I tried with example.ws olso but it didn’t wok :(

    [root@example ~]# tail -f /var/log/maillog
    Sep 29 02:15:39 example postfix/smtpd[3474]: warning: example.ws[127.0.0.1]: SASL LOGIN authentication failed: authentication failure
    Sep 29 02:15:39 example postfix/smtpd[3474]: 84EC2A48300: client=example.ws[127.0.0.1]
    Sep 29 02:15:39 example postfix/cleanup[3511]: 84EC2A48300: message-id=
    Sep 29 02:15:39 example opendkim[2140]: (unknown-jobid): example.ws [127.0.0.1] not internal
    Sep 29 02:15:39 example opendkim[2140]: (unknown-jobid): not authenticated
    Sep 29 02:15:39 example opendkim[2140]: 84EC2A48300: no signature data
    Sep 29 02:15:39 example postfix/smtpd[3474]: disconnect from example.ws[127.0.0.1]
    Sep 29 02:15:39 example postfix/qmgr[2358]: 84EC2A48300: from=, size=604, nrcpt=1 (queue active)
    Sep 29 02:15:43 example postfix/smtp[3516]: 84EC2A48300: to=, relay=j.mx.mail.yahoo.com[66.94.237.64]:25, delay=4.2, delays=0.22/0/1.1/2.9, dsn=2.0.0, status=sent (250 ok dirdel)
    Sep 29 02:15:43 example postfix/qmgr[2358]: 84EC2A48300: removed

    Reply

  2. The line in your log that says that example.ws is “not internal” is the one you want to focus on. That means that OpenDKIM doesn’t think that host is internal, so it’s not signing it. Check two things: 1) that the ExternalIgnoreList and InternalHosts directives in your opendkim.conf file are pointing to the correct location of your trusted-hosts file. 2) That the full hostname of your server is listed in the trusted-hosts file. If it’s host.example.ws, then put that in there. You may try experimenting with putting your external IP in there too. But until you put something in there that gets rid of that “not internal” message in your maillog, OpenDKIM won’t sign it. Let me know if you get it figured out!

    Reply
  3. Cata

    Thanks for youre answer, very quick :)

    In opendkim.conf I have :
    ExternalIgnoreList refile:/etc/mail/dkim/trusted-hosts
    InternalHosts refile:/etc/mail/dkim/trusted-hosts
    so is good.
    In trusted-hosts i have:
    127.0.0.1/8
    example.ws
    94. . . (my ip)

    But the same result :)
    example.ws is my host, so localhost or example.ws or my ip it should work. I have reboot the server and the services with no luck …

    Reply

    1. Have you tried just “example” without the .ws? It’s clear that the problem is that OpenDKIM isn’t recognizing your host.

      Reply
  4. Cata

    It didn’t work with any hosts :( I will install on another server, maybe it’s from this one.

    Reply
  5. Cata

    On the second server it works just fine :) Thanks a lot for the tutorial.
    I will need to set domainkeys too, or it is enough with dkim and SPF? Thanks

    Reply

    1. Glad to hear you got it working! I don’t bother using DomainKeys because DKIM is the newer implementation, and most places just care about DKIM now. You’re good to go!

      Reply
  6. Cata

    DKIM Signature validation: pass (1024-bit key) DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.example.com

    The second line is ok, or I have problems with the dns?

    thanks

    Reply

    1. Oh, and make sure you’re using your own domain name instead of “example.com” in the adsp DNS record.

      Reply
  7. Cata

    :) I use my own domain name. It was a little problem because I have restarted the server and DKIM daemon didn’t start good. Thanks

    Reply

  8. If you do “chkconfig –level 2345 opendkim on” as listed in the how to, it should automatically start when you reboot. I’m glad you got it working. Congrats! :)

    Reply

  9. Oh – and also make sure you’re using file: instead of refile: in your /etc/opendkim.conf file when referencing external files like trusted-hosts.

    Reply
  10. Larry

    Agh, our postfix is now using sendmail. It never did prior to running yum install sendmail-devel openssl-devel which itself had a sendmail dependency.

    Reply

    1. Technically, your “postfix” isn’t using “sendmail,” but your server may be using sendmail as its MTA instead. Just type: service sendmail stop. Then make sure sendmail isn’t set to start automatically when your system boots.

      Reply
  11. Franck.H

    Hello Steve, very good tut, when i’m trying to start opendkim, here is the error i get

    /etc/init.d/opendkim: line 8: milter-aware: command not found
    Starting DKIM milter: /usr/local/sbin/opendkim: error while loading shared libraries: libopendkim.so.3: cannot open shared object file: No such file or directory

    Do i have to change something in file /etc/init.d/opendkim ? Uncomment some lines? Please help. I already have domainkey working find, DKIM is the last thing, i need, because Yahoo is pushing my emails in junkmail.

    thanks

    Reply

    1. You should be aware that none of the major mail providers (Yahoo, Hotmail, GMail, AOL) will give you “extra” credit for having mail signed with both DKIM and DomainKeys. They are both very similar methods of signing mail and you’ll get no additional benefit from signing mail with more than one method. They only care that the message is signed.

      If you decide you’d like to use OpenDKIM rather than DomainKeys (which is what I decided, too) then I’d recommend joining the OpenDKIM-users list at http://lists.opendkim.org/. They are going to be able to troubleshoot your issue much better.

      Reply
  12. travis

    my server is also trying to use sendmail now. ideas? I have stopped sendmail, but now its clear email isn’t going out and the /var/log/maillog states connection refused, since sendmail is off.

    ?

    I have gone over everything and can’t see what I might have missed.

    Reply
  13. travis

    oh yes, its worked for months.

    I am rebooting now. I commented the mods to the main.cf in postfix, restarted, to no avail, I can’t find where the system is rquiring sendmail to handle the email.

    I desperately need your help.

    Reply
  14. travis

    [root@cms log]# service postfix status
    master (pid 2070) is running…
    [root@cms log]# service sendmail status
    sendmail is stopped

    any email sent from this server is not directed to sendmail’s mta instead of postfix and i am unable to figure out why – absolutely mind boggling.

    Oct 23 14:05:36 cms sendmail[2121] bla bla bla bal
    tat=Deferred: Connection refused by [127.0.0.1]

    I start sendmail and email gets sent.

    Reply

    1. Are you using standard ports? What about firewall settings? What do you see when you try to telnet to the SMTP port 25 on the localhost:

      # telnet localhost 25

      Reply
  15. travis

    with sendmail stopped, I can’t telnet to port 25, connection refused, hence, the system is using sendmail and not postfix since installing the devel package as stated above.

    firewall is off

    Reply

    1. If sendmail is off, postfix is running, and you’re CERTAIN that the firewall is off (do service iptables status to be sure), and you can’t connect on port 25, then something is likely wrong in your postfix config.

      Have you tried simply removing sendmail (yum remove sendmail), restoring your original main.cf file (or commenting out any changes you made) and then restarting postfix?

      Reply
  16. travis

    /etc/postfix/main.cf

    I replaced that with my backup and now my system works again. I am now comparing the two to see what could have happened. what a mess :-)

    Reply

    1. I’m not sure I’d call being able to simply return to your original config file and having everything work fine “a mess.” :) But I am interested to see what settings on your system were different than mine when you went through these steps so I can update them accordingly. Thanks for keeping me informed.

      Reply
  17. travis

    I will keep you posted once I clear my head a bit. great blog and your responding so quickly – kudos !

    I normally work on a development server, but your instructions were so simple and clear, lol – I thought I would try :-)

    Once I have it working, I will see where I went wrong. Its looking like specifying an IP interface in postfix/main.cf is causing the system to be forced to use sendmail somehow – more research / testing is needed.

    Reply

    1. Frankly, I’m very surprised it didn’t go easily, either! I’ve followed my own guide on all 6 of our mail servers! What does your postconf -n output look like?

      Reply
  18. travis

    I went back through some test emails. I had specified an IP for postfix to use, postfix will now only work with localhost now since sendmail-devel was installed. If I set main.cf to use a specific ip only, the system hands it off to sendmail, sendmail is stopped, therefore, its refused.

    What in the world would cause this?

    Better question, why did you have to install sendmail-devel on a postfix system for? Thats the real question I am dying to know.

    I am guessing an uninstall of sendmail-devel will resolve my mta confused server issue.

    Reply

  19. According to http://www.opendkim.org/INSTALLOpenDKIM:

    “To build this package you must first have installed or at least have available the OpenSSL package and libmilter… The application library
    libmilter is part of the sendmail Open Source distribution and can be built and installed from there (ftp://ftp.sendmail.org).

    As Postfix currently does not provide milter library, you need to have sendmail sources or development package installed. See http://www.postfix.org/MILTER_README.html

    Reply

  20. Nice tutorial!

    A quick note about the refile and “first line only” issue. This is a bug; refiles should be able to process any number of lines. A bug in the handling code for refiles will be fixed in the next release, slated for a few days from now.

    Also, refiles aren’t actual regular expressions, though that’s how they are implemented under the hood. They actually provide something more like shell-style wildcarding, also known as “globbing”: They permit “*” to be used to represent any set of characters when doing pattern matching. “*@example.com” is not a valid regular expression, for example, but it’s valid in refiles.

    Happy signing!

    Reply

    1. Hey, Murray. :)

      Thanks for the clarification. When the next release is out, I’ll update the download link in this tutorial and simplify the instructions, too.

      I AM happily signing! :)

      Reply
  21. travis

    Well, here is my troubleshooting so far as to why sendmail is still involved with postfix for sending emails.

    grep sendmail /var/log/maillog*

    sendmail only involved after installing sendmail-devel

    /etc/postfix/main.cf

    # inet_interfaces = all
    inet_interfaces = 174.xx.xxx.xx, localhost

    remove localhost and postfix fails to send email, logs report relaying denied by sendmail.

    I ask that you check your logs for me. Do this please:

    grep -i sendmail /var/log/maillog

    Do you also have sendmail involved in your outgoing mail operations???

    Reply
  22. travis

    follow up.

    opendkim is working and signing, however, sendmail is involved, even with sendmail stopped:

    [ previously recorded headers ]
    Received: by my.example.com (Postfix, from userid 48)

    now, its clear that sendmail is involved via these new header mods:

    Received: (from apache@localhost)
    by cms.example.com (8.13.8/8.13.8/Submit) id o9PGLq9H007511;
    Mon, 25 Oct 2010 11:21:52 -0500

    I am guessing this is the new requirement to hand off for opendkim filtering for signing of the emails.

    Notice above, that post fix userid 48 was included in all of our emails, now, although postfix name is seen in the headers, we see sendmails 8.13 / submit listed in the headers.

    I am curious if your logs show the same sendmail involvement.

    Reply

  23. Hey, Travis. First, GREAT news that you got it working. Can you please share with me what the issue was and what you did to get it fixed so I can explain it in the tutorial for others who might see the same issue?

    Also, the ONLY mention of sendmail in my logs is if I run newaliases:

    Oct 26 16:21:57 myhost sendmail[23078]: alias database /etc/aliases rebuilt by root
    Oct 26 16:21:57 myhost sendmail[23078]: /etc/aliases: 155 aliases, longest 40 bytes, 2093 bytes total

    Otherwise, I don’t see it at all.

    But I am seeing the local sendmail client get involved in my headers, too. Here’s a full (anonymized) header of a test message sent to my gmail account:

    Delivered-To: testaccount@gmail.com
    Received: by 10.229.68.168 with SMTP id v40cs122656qci;
    Tue, 26 Oct 2010 16:22:59 -0700 (PDT)
    Received: by 10.143.157.16 with SMTP id j16mr7184678wfo.424.1288135379024;
    Tue, 26 Oct 2010 16:22:59 -0700 (PDT)
    Return-Path:
    Received: from hostname.steveserver.com (steveserver.com [123.456.78.912])
    by mx.google.com with ESMTP id e38si19054975wfj.44.2010.10.26.16.22.57;
    Tue, 26 Oct 2010 16:22:57 -0700 (PDT)
    Received-SPF: pass (google.com: domain of sender@steveserver.com designates 123.456.78.912 as permitted sender) client-ip=123.456.78.912;
    Authentication-Results: mx.google.com; spf=pass (google.com: domain of sender@steveserver.com designates 123.456.78.912 as permitted sender) smtp.mail=sender@steveserver.com; dkim=pass header.i=@steveserver.com
    Received: from hostname.steveserver.com (hostname.steveserver.com [127.0.0.1])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by hostname.steveserver.com (Postfix) with ESMTPS id F080410423FE
    for ; Tue, 26 Oct 2010 16:22:56 -0700 (PDT)
    X-DKIM: OpenDKIM Filter v2.2.1 hostname.steveserver.com F080410423FE
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=steveserver.com;
    s=default; t=1288135377;
    bh=fdkeB/A0FkbVP24J4poeWH6vm9+b0C3OY87Cw8=;
    h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type;
    b=a+S/3J/GfO2n2smR9XCq
    Received: from localhost (sender@localhost)
    by hostname.steveserver.com (8.14.4/8.14.4/Submit) with ESMTP id o9QNMuwE023144
    for ; Tue, 26 Oct 2010 16:22:56 -0700
    Date: Tue, 26 Oct 2010 16:22:56 -0700 (PDT)
    From: Steve Jenkins
    To: testaccount@gmail.com
    Subject: SUBJECT GOES HERE
    Message-ID:
    User-Agent: Alpine 2.00 (LFD 1167 2008-08-23)
    MIME-Version: 1.0
    Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

    Message Body
    ——————–

    SO like you said, the (8.14.4/8.14.4/Submit) is a giveaway that sendmail is involved. OpenDKIM requires libmilter, which is part of the sendmail-devel package, so I’m assuming that’s why we’re seeing it.

    Also, if apache is sending (it looks like it is in your case) AND you have PHP involved, be sure to update the sendmail line in your /etc/php.ini to use /usr/sbin/sendmail.postfix

    And finally, a new version of OpenDKIM (2.2.1) came out yesterday. You may want to update (it just copies right over the old one with no config file changes).

    Reply

  24. I had errors after installing opendkim:

    fatal: host/service localhost/20209 not found: No address associated with…

    Looks like it’s working now after I changed these the lines in main.cf :

    smtpd_milters = inet:127.0.0.1:20209
    non_smtpd_milters = inet:127.0.0.1:20209

    Reply

    1. Glad to hear it’s working for you! But it should have worked with localhost, too. Can you do a “ping localhost” and get a reply?

      You should check your /etc/hosts file to make sure that the first line in there is:

      127.0.0.1 hostname localhost.localdomain localhost

      Where “hostname” is your server’s hostname. The “localhost.localdomain” and “localhost” entries should be typed word-for-word.

      Reply
  25. Carlos Sura

    Hi Steven, this is a great article, I’ve already configured some servers with your help, everything seems to be working fine, if you read carefully the article, if not, you really mess up.

    Reply

    1. Domainkeys is the older version of same standard as DKIM. And since inbound mail handlers don’t give you any additional credit for having both Domainkeys and DKIM, as long as you’re passing the DKIM check, you can ignore the Domainkeys=neutral warning.

      Reply

  26. Hello Steve,

    Great tutorial !

    Having finally wrapped my brain around the formats of the KeyTable and SigningTable, I think it would improve your tutorial to not use the whole DNS key as a key name, since the left entry in the KeyTable can be just a single word.
    That would make it easier to understand:

    #KeyTable:
    mykeyname example.com:default:/etc/mail/dkim/keys/example.com/default

    #SigningTable:
    *@example.com mykeyname

    That way one doesn’t confuse the notions needed for the DNS record with the two tables.

    Reply

    1. Hi, Robert! Thanks for the feedback and glad you got it working! You are right about not needing the full domain name… but ONLY if you’re signing keys for a single domain (and I assume that’s the case with your server). But if you have a mail server that signs different keys for more than one domain (like I do) or for multiple hostnames on a single domain name, or any combination of the above (such as mailer1.domainname.com, mailer2.domainname.com, somebodysserver.com, somebodyelseserver.com) then you will need the FQDN (fully qualified domain name) of the selector in the keyTable, signingTable, and in your DNS record for it to work.

      Reply

  27. Hello Steve,

    In studying the readme file examples, I discovered that the key is only used to make the entries in the SigningTable match lines in the KeyTable, so for multiple domains, this works, too:

    ##keytable
    KeyA domainOne.net:sel1:/etc/mail/dkim/X.private
    KeyB domainTwo.net:selh:/etc/mail/dkim/Y.private
    KeyC domainThree.net:sel1:/etc/mail/dkim/Z.private

    ##signingtable
    *@domainOne.net KeyA
    *@domainTwo.net KeyB
    *@domainThree.net KeyC

    And obviously each domain has to have the fully qualified entries in its DNS records.

    If all the domains can share the same keys, then one can even use the % wildcard and get all domains that use the same server to get their mail signed with one line each:

    ##keytable
    onekey %:im:/etc/mail/dkim/im.private

    ##signingtable
    *@* onekey

    the names used to link the two tables are completely independent from the entries in the DNS records.

    The question I haven’t yet figured out is, even with a different key for each virtual domain, how can one prevent a php script running on one domain from signing mails with a “From:” header belonging to another domain on the same server?
    Postfix will deliver them all irrespective, and OpenDKIM will happily sign with the correct key for each domain, simply taking the correct key for the domain used in the “From:” header…

    Reply
  28. Carlos Sura

    Hello Steve, I want to ask you something, in every boot I’m getting this message:

    Dec 6 07:22:12 domain sendmail[22269]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use
    Dec 6 07:22:12 domain sendmail[22269]: daemon MTA: problem creating SMTP socket

    Should I turn off Sendmail from chkconfig?
    Thanks,

    Reply

    1. I run Postfix instead of Sendmail so I can’t reproduce that on my end. However, my guess is that maybe you’re already telling Sendmail to start somewhere else. So yes, I’d chkconfig sendmail off and reboot to see if it’s running.

      Reply
  29. Carlos Sura

    I’m running Postfix too, however I did: yum install sendmail-devel, So it might be the problem, right? I will chkconfig sendmail off, and check it, anyway Thank you for answer me Steve.

    Reply
  30. Carlos Sura

    By the way, pardon me if I bother you so much… But, I’m trying to get domainkeys working in another box… And when I do this:
    /usr/local/sbin/opendkim-genkey -D /etc/mail/dkim/keys/mysite.com/ -d mysite.com -s default

    I get this:
    -bash: /usr/local/sbin/opendkim-genkey: No such file or directory

    I’m checking in /usr/local/sbin
    but the only file I found is: opendkim…

    Reply

    1. Try doing updatedb and then do a locate opendkim-genkey to see if perhaps your system put it somewhere else. By default, it should be in the path, so you could also log out and then log back in and try running opendkim-genkey without any path info.

      If that doesn’t work, try doing the ./configure, ./make, and ./make install steps again from the dir where you unzipped the source code. After the install step, do updatedb and locate opendkim-genkey.

      Reply
  31. Carlos Sura

    Which is the script, right? But, it keeps saying ” no such file or directory” , and I’ve already set permissions.

    Reply
  32. Carlos Sura

    Thank you for your help, the I’ve already found the problem, it is in /bin/ not /sbin/, Thank you for your time.

    Reply

  33. Hi,
    I followed your tutorial and i’ve installed opendkim on a fresh centos vps.
    I’ve also installed domain keys (dk-milter) and i’ve set up spf.

    All the checks pass, both yahoo and gmail validate my dkim and domainkeys, but some of the emails I send enter the spam folder.

    Here is the scenario:
    1. if I send an email directly from the webmin postfix interface, the email get into inbox
    2. if I send an email from PHP using smtp, the email gets into spam folder on yahoo and sometimes on gmail spam too.

    Do you have any advice, what should I do? Is there any config I should do in order to get the mails sent my PHP via smtp to get in inbox?

    Reply

    1. Chances are that your messages sent by PHP are actually being sent by Sendmail. Check your /etc/php.ini file to make sure it’s using Postfix’s Sendmail clone. Mine looks like this:

      sendmail_path = /usr/sbin/sendmail.postfix -t -i

      Reply

  34. Hi Steeve,
    Thank you for reply.

    I checked the sendmail_path and it was indeed set to sendmail rather than postfix. I changed it as in your advice, thank you.
    However, I think that’s not the problem since I use php to send mails via smtp, and on the server I have configured postfix.

    In the mean time I did other optimizations and i discovered the following:

    1. if I send my emails from admin@domain.com but I set the “From” to, let’s say, just Domain.com, then Gmail marks me as spam.
    2. I am sending HTML mails but if I add a txt copy of the email (an exact copy of the html mail but just the plain text), then gmail is happy and it doesn’t mark me as spam.
    3. if I set also the replyTo to the same email address, it’s also a good thing.

    However, Yahoo still considers my email to be spam (altough DKIM and DomainKeys pass, I have reverse IP, i’m not blacklisted, etc). I guess it’s just something with the way Yahoo filters emails.

    Reply

  35. Hi, Andrei. I’m curious about why you have your php application set up to connect to the smtp port rather than just using the mail command internally? And yes, most mail providers like the FROM to be an actual address, not just a domain. I’m also curious about your HTML + TXT mail approach. Do you mean that you’re sending BOTH the HTML and TXT version of the message? If so, are you sending the TXT as an attachment?

    Reply

  36. Hi Steve,
    I’m using SwiftMailer and it is configured to send my mails via smtp.
    About the HTML + TXT approach, yes, I am sending both versions of the mail. I found an explanation which said that for clients who do not accept html emails is good to send the txt version. Also, I found out that the anti-spam methods can give a better score to html mails which also have their txt version sent with (and like I said, the closest the txt version is, the higher chances are that you’re email won’t be marked as spam).
    In SwiftMailer I am using the “addPart” method to add the txt version to the mail.

    (just a little disclaimer, I found out about the txt thing from the SpamAssassin site here: http://wiki.apache.org/spamassassin/AvoidingFpsForSenders)

    Reply
  37. Corey

    Hello!

    Is the smallest valid key 512 bits? I’m having problems putting that long a string into the DNS config utility from my from registrar since it truncates it. Need to talk to my registrar, I guess.

    Thanks!

    Reply

  38. It’s POSSIBLE to use as small as a 256 bit key… but I wouldn’t. That’s too easy to crack. I think you’re better off talking to your registrar as you suggested.

    Another option is to consider using a different DNS provider. Amazon’s new Route 53 is an interesting option I’ve thought about trying. I’m assuming your registrar isn’t GoDaddy, since I know their TotalDNS service (which is included with any domain registered there) won’t truncate your key.

    Let me know how things work out!

    Reply
  39. Corey

    I got the ISP to change their DNS config web page the accept more characters. Tried it out and I’m good to go! Thanks for the great tutorial. Corey.

    Reply

  40. Hi Steve,
    I just wanted to let you know that for some reason, Yahoo no longer considers my mail to be spam and delivers it right to the user’s inbox. Yuppy!
    Thanks for sharing this article with the community, it helped me alot.

    Reply
  41. ethilanka

    Hey,

    Thank you very much for publishing a valuable post…. This really helps me to send emails to yahoo inbox… you are great… BTW i have a small question….. what is the difference between domain keys and DKIM … ? In you post both are included…..?? or we need to configure domain keys separately..?

    Cheers..!

    Reply

    1. @Ethilanka: You’re very welcome! The simple explanation is that DKIM is a more current implementation of the original Domain Keys (that’s what the DK in DKIM stands for… not Donkey Kong…:)) Mail service providers will give you “credit” for using DKIM or DomainKeys, but you don’t get extra credit for using both. Since DKIM is the newer standard with the current momentum, that’s the one I recommend. There’s no need to do both!

      Reply

  42. Steve,

    Thanks for posting this. I set everything up as described and I am having a problem I can’t find the answer to. My log shows the problem to be opendkim[7113]: 1F9BDD2004E: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed.
    I have talked with my registar’s support to make the DNS zone record was entered correctly. I guess I don’t know how to move forward at this point. I have checked and rechecked to make sure I followed your directions correctly. Hopefully you can help.

    Thanks,
    Alex

    Reply

  43. @Alex: According to something I read from the developer of OpenDKIM, “The filter reads in your private key and passes it as a buffer to d2i_PrivateKey_bio(), a libcrypto function, which attempts to parse it. That parse is failing, which results in this error being logged and your message temp-failing.” In other words, it looks like your private key file might be corrupt. I’d try rebuilding it (just delete it, find that step above, and build it again) to see if that fixes it. Also, make sure you’re using at least version 2.1 of OpenDKIM, as there was a bug related to this in 2.0. Come back and let me know if it works!

    Reply
  44. rav3n

    Hi, I’ve follow your tutorial and apply to mail zimbra server it work great however I have problem domain keys are not sign below is my test result. I check the logs I opendkim header is added.

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    Reply

    1. Hi, Rav3n. Good news! Your test results are fine. DomainKeys is a different (and outdated) method of signing mail. DKIM is the newer and improved method. You don’t need to use both, since receiving mail handlers don’t give any additional credit for both. So since you’re signing with DKIM and not DomainKeys, it’s appropriate to have the neutral test result. You’re good to go!

      Reply
  45. rav3n

    Hi I was finished setup everything and it’s working fine exact mail is not sign, I have to domain I’ve already added on my keytable and signing table when I try to test it is this is what i get.

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    Domainkeys check still neutral… been trying to check may configuration seems no issue… Please help

    Reply

    1. Correct, DomainKeys is supposed to be neutral. You are signing with DKIM, not DomainKeys. DomainKeys is outdated and you don’t need to sign with it. You are set up correctly. :)

      Reply
  46. rav3n

    Thanks now I now it’s working fine… :D

    Reply

  47. I have a zimbra server and the settings don’t work…

    If i configure the milter_protocol=2, the zimbra.log says OK to add header but don’t send the message and if i don’t configure the milter_protocol, the message is sent OK, but without the header.

    Can you help me?

    Reply

    1. Hi, Johnny. I don’t use Zimbra, but I’m sure someone on the OpenDKIM user email list is familiar with it. I’d recommend subscribing (the link is in this article) and seeing if anyone there has seen this particular issue.

      Reply

  48. Steve, I have figured out my problem and it was a tremendous oversight. When I create my keyTable and copy and pasted in your example which shows it on two lines in the browser, but clearly, if I would have looked closer, I would have seen that it should all be on one line.

    Thanks for taking the time for this tutorial.

    Reply

  49. Glad you got it working, Alex! I’ve updated the article to specifically state that all the text in the example should be on a single line. Thanks for the feedback!

    Reply

  50. rav3n

    Hi I’ve successfully setup opendkim thanks for the guide it helps a lot. I have question I have to domain mail.example.com mail2.example.com both in different machine. I’ve creative another mail server for sending bulk messages I’ve setup everyting how ever I have error on full header view multiple domain keys. I was wondering how can I use other default keys to another machine so that I will have 1 domain keys on my domain server?

    Reply
  51. rav3n

    Hi Johnny I used zimbra it’s work for no problem with protocol 2…. makes sure you upgrade yon zimbra to new version

    Reply
  52. rav3n

    How to allow external ip to be sign by our smtp server?

    Reply

    1. If the server with the external IP shares the same domain, just add the IP to the InternalHosts file. If it’s a separate domain, then you’ll also have to create an additional set of keys and add the appropriate info for that domain to the keyTable and signingTable.

      Reply
  53. rav3n

    Hi Steve, thanks for the reply just to clarify if I have 1 domain… example.com and mail.example.com for dedicated for sending mail. and all my web server is sending email such as notification, transaction, mailing list, events, news letters etc. do I need to create separate dkim for webserver? All server is within same IP range. All webserver is http://www.example.com. Ahhh I more also sometimes we send email thru our office and it’s different IP range and no domain should I create new dkim for our IP in our office?

    Reply

    1. DKIM signatures are associated with the domain, so you can use the same one for multiple subdomains!

      But you can’t sign messages sent from a machine that has no domain. Again, DKIM is associated with a domain, so it needs one in order to verify on the receiving end.

      Reply
  54. rav3n

    Thanks steve, guess I need to make new sud domain for our office to…

    Reply

  55. Steve,
    I have been trying to setup OpenDKIM on another server for a friend since you helped me via this tutorial successfully set it up on mine. Anyway, it went much smoother this time. All is working, however, it is not signing emails for alex@domain.com. The log says that there is no signing table match for ‘alex@domain.com’. I checked the signing table and I have “*@domain.com default._domainkey.domain.com” on one line and this is the only line. I also use default as my selector. I have been reading the opendkim mail list and I can’t seem to find the answer to my problem. According to the signing table information I can’t figure out why it will not sign for alex@domain.com if I clearly have *@domain.com. Anyway, I was hoping you could help.

    Reply

    1. Hi, Alex. Sorry to hear you’ve having problems. Are you certain that the mail program (MTA) isn’t using a subdomain when sending? The domain address in the signing table needs to match the domain address in the Return-Path: header of your email.

      I’m assuming that something like that must be the problem. I would bet that if you added a second line to your signing table that said: “alex@domain.com default._domainkey.domain.com” you’d still get the same error.

      If you’re still having trouble, subscribe to the OpenDKIM-users mailing list and post the results of the test addresses (or Brandon’s test website). That can be very helpful in tracking down what’s wrong.

      Reply

  56. Steve, thanks for the quick reply and for pointing me in the right direction. Apparently, text case in the log is different than what is actually sending. The email was set up in the client like this “alex@DomainName.com”. Sends email fine, however, DKIM doesn’t like the change in case and the log was coming back “no signing table match for alex@domainname.com and so I was not able to figure out the problem until I checked his mail client setup. Anyway, thanks for pointing me in the right direction. I really appreciate what you are doing here.

    Reply

    1. @Alex: Ah – yes, case does matter with OpenDKIM 2.2.2. However, the newer version of OpenDKIM (v2.3.0 – which is still in beta, so I’m waiting until it’s released to update the blog post) allows upper or lower case. Glad to hear you got it going!

      Reply
  57. Bhupinder

    Thank you!

    This guide worked perfectly on my Plesk 10 / PostFix / Centos5 rig.

    I love you!!!

    Reply

      1. Well, I dont get this working. Have spent many hours in getting opendkim to work with plesk. I have two postfix profiles on plesk (old config). The one I want to get opendkim working, I’ve removed the 10025/6/7 lines from master.cf (since those refer to plesk filters). and put in the settings in main.cf. But the milter does not get applied, nothing in the log at all.

        are you sure I dont have to get any setting modified in master.cf for this to work? the lines in master.cf are:

        smtp inet n – – – – smtpd -o smtpd_proxy_filter=127.0.0.1:11025

        pickup fifo n – – 60 1 pickup -o content_filter=smtp:127.0.0.1:11027
        127.0.0.1:11025 inet n n n – – spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11027 before-queue
        127.0.0.1:11026 inet n – – – – smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks
        127.0.0.1:11027 inet n n n – – spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11026 before-remote
        plesk_saslauthd unix y y y – 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db
        smtps inet n – – – – smtpd -o smtpd_proxy_filter=127.0.0.1:11025 -o smtpd_tls_wrappermode=yes
        submission inet n – – – – smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:11025

        only putting in the lines that put in the default domainkeys from plesk. (which does not get validated on brandonchecketts, saying wrong RSA, since diff public keys are present on both domains). the server hosts multiple domains on diff IP.

        Reply

        1. Hi, Pradeep. I have no experience with Plesk, and so I’m not going to be any help in trying to troubleshoot how it interacts with OpenDKIM. As far as a straightforward OpenDKIM install on Postfix, no – you don’t need to touch master.cf. If you’re still having trouble, I recommend joining the OpenDKIM-users mailing list at opendkim.org and presenting the issue there. There’s a very active group on that list (including the main developer) who will be happy to troubleshoot.

          Reply

          1. Further debugging in the logs with higher level, I got to know that a typo in the SigningTable file was hindering the email to match the email pattern. And later that the opendkim key file perms were restrictive. It now works with the separate postfix directory profile. Of course, I had to change all the plesk 10025/10026/10027 filters and spawns. No changes for opendkim were needed in master.cf, just like Steve wrote. I need to see if this is fine or I need to get domainkeys as well.


          2. Good to hear! Forget about DomainKeys. They’re being phased out. DKIM is the replacement, and it’s all you need. :)


  58. Hey,
    This tutorial made my life easier and I really appreciate you taking the time to write it! +1 good Karma for you!

    Reply
  59. Taaniel

    I’m breaking my head here.. all email get signed but I get the following error: Details: public key: unsupported version :(

    Reply

    1. Google results for this error show that your DNS records are probably incorrect. I’d triple-check those.

      Reply
  60. rav3n

    Hi Steve, can you please explain then I verified my setup on opendkim I have this result.

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    I tried to send email to yahoo and check full header I got this on yahoo result

    Authentication-Results: mta1022.mail.sk1.yahoo.com from=ronald.com; domainkeys=neutral (no sig); from=auction.ph; dkim=permerror (future timestamp)

    dkim=permerror?

    Reply

    1. If you Google “dkim=permerror (future timestamp)” you’ll see that this error is most likely a result of your server’s clock being incorrect. Install an NTP client and make sure you’re syncing daily. :)

      Reply
  61. Will Oberman

    If anyone here is using this to configure DKIM with Amazon SES (their email service), this guide works with the following addendum:
    In the file “/etc/opendkim.conf” add:
    OmitHeaders Message-Id,Date,Return-Path,Bounces-To

    Reply

  62. Paul Roberts

    i’m getting the mail sitting in the postfix queue with the error

    conversation with 127.0.0.1 timed out while receiving the initial server greeting

    it sends if i take out the Postfix configuration

    any ideas?

    Reply

    1. Hmm… even if OpenDKIM isn’t running, it will just log a warning and Postfix will still send. Is Postfix running properly otherwise?

      Reply
  63. Paul Roberts

    both postfix and OpenDKIM are running without errors, it’s just when i add the lines to postfix’s main.cf that the problem happens, once i removed the code the mail was sent and the key was added to the email, could it be to do with iptables?

    Reply
  64. Paul Roberts

    if i comment out these lines the queue is processed.

    # smtpd_milters = inet:localhost:20209
    # non_smtpd_milters = inet:localhost:20209
    # milter_protocol = 2
    # milter_default_action = accept

    Reply

  65. @Paul: With those lines commented in your main.cf, I don’t see how the key could have been added to the mail, since Postfix wouldn’t know to pass mail through the milter. Is your software config identical to the one in the tutorial? RHEL/CentOS, Postfix, OpenDKIM? Are you also running Sendmail by chance (it should be off in this scenario)? Also, a brand new version of OpenDKIM (2.3.0) was released yesterday. I recommend downloading it and going back through the tutorial step-by-step.

    Reply
  66. Carlos Sura

    Hello Steve, I was trying to follow the default configuration for OpenDKIM, I think the installation and configuration that I’ve made it is all good, but, it is not signing my outgoing email….

    I checked everything twice, tail /var/log/maillog, does not show me errors, I’m not sure what is the problem now…

    Reply

  67. @Carlos: Your maillog should still give you some sort of message even if it doesn’t sign. Is there any output from opendkim in your log, such as “not internal” or “no signature data added”?

    Reply
  68. Carlos Sura

    Hi Steve, I’ve already fixed, seems to be a problem with my selector, so I reinstalled again, and now it’s working…. Thank you for answer me.

    By the way, nice theme.

    Reply
  69. michal

    Hi,
    I’ have done everything like Your tutorial says. When i try to send email i get :
    Mar 3 18:56:46 qwe postfix/smtpd[20993]: connect from unknown[127.0.0.1]
    Mar 3 18:56:46 qwe postfix/smtpd[20993]: fatal: host/service localhost/20209 not found: No address associated with hostname

    and no mail is send;/
    when i change in postfix main.cf
    smtpd_milters = inet:localhost:20209
    non_smtpd_milters = inet:localhost:20209

    to
    smtpd_milters = inet:127.0.0.1:20209
    non_smtpd_milters = inet:127.0.0.1:20209

    mail is sent, but 2 dkim signatures are added like this:

    Delivered-To: xxx@xxx.com
    Received: by 10.204.55.15 with SMTP id s15cs11793bkg;
    Thu, 3 Mar 2011 09:29:07 -0800 (PST)
    Received: by 10.204.169.193 with SMTP id a1mr1809154bkz.11.1299173347444;
    Thu, 03 Mar 2011 09:29:07 -0800 (PST)
    Return-Path:
    Received: from xxx.com (myhost.com [f.i.r.stip])
    by mx.google.com with ESMTPS id 20si2102167faw.28.2011.03.03.09.29.06
    (version=TLSv1/SSLv3 cipher=OTHER);
    Thu, 03 Mar 2011 09:29:06 -0800 (PST)
    Received-SPF: neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of apache@xxx.com) client-ip=f.i.r.stip;
    Authentication-Results: mx.google.com; spf=neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of apache@xxx.com) smtp.mail=apache@xxx.com; dkim=neutral (bad format) header.i=@xxx.com
    Received: from xxx.com (unknown [127.0.0.1])
    by xxx.com (Postfix) with ESMTP id 6529748B803C
    for ; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
    X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 6529748B803C
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
    s=default; t=1299177173;
    bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
    h=To:Subject:Message-Id:Date:From;
    b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
    RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
    +pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
    Received: by xxx.com (Postfix, from userid 48)
    id 4F18848B84A2; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
    X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 4F18848B84A2
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
    s=default; t=1299177173;
    bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
    h=To:Subject:Message-Id:Date:From;
    b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
    RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
    +pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
    To: xxx@xxx.com
    Subject: subject
    Message-Id:
    Date: Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
    From: apache@xxx.com (Apache)

    sample body

    what can be the problem?

    Reply

  70. @michael: After chatting it over with my buddies on the OpenDKIM-Users mailing list, we agree that it looks like the message is somehow being passed to the filter twice before it gets sent out. Are you running multiple smtpd processes in your Postfix configuration?

    A few ideas for you to try (from the developer of OpenDKIM himself):

    1) Check your Postfix configuration to see if there’s some way the filter might hear about the same message twice.

    2) Check your maillog to see how you might be able to distinguish the two instances. For example, if one is coming in over the localhost address while the other is coming in over some non-localhost address, you could add one or the other to the PeerList so that the filter simply ignores one of them outright.

    3) Have the reinjection step change the From: so that there’s a hit in the SigningTable for one instance of the message but not the other.

    Reply
    1. Salman

      I am having the same issue. I have checked DKIM on yahoo and it says OK but on Gmail, I am getting neutral (bad format). I have check /var/log/mail.log. Everything is looking fine. Please help :(

      Reply
      1. Salman

        Its fixed guys. TXT had an error. missing g=*; k= . Its working fine now :)

        Reply
  71. michal

    @steve, thank You for Your priceless help, after pointing me in direction, that filter hears twice about message i examined my maillog


    Mar 5 13:58:06 haha postfix/pickup[14521]: B4C4948B8033: uid=48 from=
    Mar 5 13:58:06 haha postfix/cleanup[14525]: B4C4948B8033: message-id=?
    Mar 5 13:58:06 haha opendkim[23216]: B4C4948B8033: DKIM-Signature header added (s=default, d=example.com)
    Mar 5 13:58:06 haha postfix/qmgr[14528]: B4C4948B8033: from=, size=565, nrcpt=1 (queue active)
    Mar 5 13:58:06 haha postfix/smtpd[14532]: connect from unknown[127.0.0.1]
    Mar 5 13:58:06 haha postfix/smtpd[14532]: CE02B48B8032: client=unknown[127.0.0.1]
    Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: apache@example.com
    Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: somebody@somewhere.com
    Mar 5 13:58:06 haha postfix/cleanup[14525]: CE02B48B8032: message-id=
    Mar 5 13:58:06 haha opendkim[23216]: CE02B48B8032: DKIM-Signature header added (s=default, d=example.com)
    Mar 5 13:58:06 haha postfix/qmgr[14528]: CE02B48B8032: from=, size=1157, nrcpt=1 (queue active)
    Mar 5 13:58:06 haha postfix/smtp[14529]: B4C4948B8033: to=, relay=127.0.0.1[127.0.0.1]:10027, delay=0.22, delays=0.08/0/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CE02B48B8032)

    cleanup process was running twice , and everytime opendkim added signature, so i modified my pickup process with -o receive_override_options=no_milters
    and it works like a charm!
    pickup fifo n – – 60 1 pickup -o content_filter=smtp:127.0.0.1:10027 -o receive_override_options=no_milters
    Again, big thanks to You and guys over mailing list for help. This tutorial rocks!

    Reply

  72. you forget to copy opendkim-genkey from /usr/local/src/opendkim to /usr/local/bin

    cd /usr/local/sbin/

    cp /usr/local/src/opendkim-2.3.0/opendkim-genkey /usr/local/sbin

    opendkim-genkey -D /etc/mail/dkim/keys/test.com/ -d test.com -s default

    regards , from Argentina

    Reply

    1. Hi, Thierry. Manually copying opendkim-genkey to /usr/local/bin isn’t necessary. The make install command automatically places all the necessary opendkim-* files in that directory. If it didn’t on your system, verify that you used the right permissions (root) when you did the make install command, since the default permissions for /usr/local/bin is owned and writeable only by root.

      Reply
  73. Ruslan Conk

    Help Me. Problem starting opendkim

    Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory

    Reply

    1. @Ruslan: I need a bit more info. What system? Did you follow these steps EXACTLY? Do “updatedb” and then “locate opendkim” – does it find it on your system anywhere?

      Reply


  74. Greatest ever blog post! Thanks a lot for such detailed information!!!
    Worked like a charm

    Reply
  75. h16h

    I had same issue trying to start OpenDKIM.

    Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory

    The following is my setup:

    CentOS release 5.6 (Final)
    Postfix 2.3.3
    OpenDKIM 2.3.2

    executing as root and SELinux = disabled.

    OpenDKIM 2.2.2 installs and starts fine however.

    Reply
  76. Mauro

    Hi steve,

    good tutorial, but i’ve two problem:

    1. I’ve install dkim e dk-milter but when i restart dk-milter i’ve this message:
    chgrp: impossibile accedere a inet:10035@localhost': No such file or directory
    chmod: impossibile accedere a
    inet:10035@localhost': No such file or directory

    main.cf
    smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209
    non_smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209

    dk-milter
    PORT=”inet:10035@localhost”

    2. I must also use spamassin but when I insert this line in master.cf emails come back with the message “service unavailable”

    smtp inet n – n – – smtpd -o
    content_filter=spamd

    Help me please!

    Reply
    1. Branz

      I think you need to find this line /etc/init.d/dk-milter:

      if [[ ! -z $(echo $PORT |grep “local”) && $RETVAL -eq 0 ]];

      then change this to:

      if [[ -z $(echo $PORT |grep “inet”) && $RETVAL -eq 0 ]];

      Hope it helps!!

      Reply
  77. john

    i had the same error as Ruslan:
    Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory

    i have no clue how that happened since i definitely ran everything as root. i did fix the issue using this command.

    cp /usr/local/src/opendkim-2.3.2/opendkim/opendkim /usr/sbin

    Reply
  78. neil

    Hi steve,

    this is a very good and easy to understand tutorial.

    i followed your tutorial and was able to install it. but i get the following error on the maillog when i try to send a mail.

    May 27 01:59:01 sr postfix/cleanup[25854]: warning: connect to Milter service inet:127.0.0.1:20209: Connection refused

    Thanks,
    Neil

    Reply

  79. Excellent howto. Just a couple of quick notes:

    ADSPAction doesn’t appear to work anymore. Looks like it should be ADSPDiscard (with “yes” or “no” as accepted parameters)

    In my case, opendkim was adding a DKIM Signature header twice. Once when the email was initially received, and again after going through amavisd-new. Amavis wasn’t re-signing it, for some reason postfix signed it each time. Disabling Amavis as a content filter eliminated the problem, but now my outgoing mail doesn’t get scanned for viruses anymore.

    Reply

    1. Thanks for the heads up on the ADSPAction. I’ll check that.

      Concerning amavisd-new, check the 127.0.0.1:10025 inet n - n - - smtpd section in your master.cf. Add no_milters to the end of your -o receive-override_options line so that it looks like this:

      -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

      Then restart Postfix and Amavisd. That should solve your problem. I’ve added this tip to my Amavis-new tips blog post.

      Reply

  80. Mauro

    Hi Steve,

    if i add ADSPDiscard it give a error….
    ADSPDiscard Yes
    Stopping OpenDKIM Milter: [ OK ]
    Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 5: unrecognized parameter

    I have a big problem too, I installed and configured opendkim on a server that is hosted on mail marketing software, sending a newsletter the validation fails, the message here:

    Signature verification failed, message May Have Been tampered with or corrupted

    Validating Signature

    result = fail
    Details: Body Has Been Altered

    Can help me…

    Reply
  81. Branz

    Hi Steve, thank you for this very great tutorials!! It really works!!

    Reply
  82. Carlos Sura

    Hello Steve, I followed your steps (updated) and I get this messages: opendkim[1045]: can’t write pid to /var/run/opendkim/opendkim.pid: Permission denied

    In /var/log/maillog

    Any ideas?

    Reply
  83. Carlos Sura

    Steve, nevermind, I just reinstalled everything and set the permission twice and it worked fine. Still, nice tutorial indeed.

    Reply

    1. Cool – glad to see you got it working. The permissions should be created properly on the useradd command, but I’ll add an extra step in there to manually set them just in case.

      Reply
  84. David

    Any ideas on what could cause this?

    dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed

    This happens every time I try to send mail from a telnet session on localhost. I have double checked permissions and everything and I still get that error.

    Any insight would be appreciated.

    Reply
  85. Paul

    Superb post, installed and working seamlessly :)

    Thanks!
    – Paul

    Reply

  86. Hi Steve,

    Thanks for your nice article I finish everything according to you, but when I start OpenDKIM check below log;

    Jul 13 11:06:45 relay opendkim[16642]: OpenDKIM Filter: Unable to create listening socket on conn inet:20209@localhost
    Jul 13 11:06:45 relay opendkim[16642]: smfi_opensocket() failed
    Jul 13 11:06:45 relay opendkim[10817]: exited with status 69, restarting
    Jul 13 11:06:45 relay opendkim[16643]: OpenDKIM Filter: Unable to bind to port inet:20209@localhost: Address already in use

    I’m using MailScanner 4.83 . Is it a conflict with mailscanner or can I change Opendkim port? Please help…….

    Thanks,
    Raminda

    Reply
    1. Ed Davis

      I’m commenting on the 7 month old post from Raminda on July 13, 2011. I have been getting similar error messages.

      Starting OpenDKIM Milter: opendkim: smfi_opensocket() failed
      OpenDKIM Filter: Unable to bind to port inet:8891@localhost: Cannot assign requested address
      OpenDKIM Filter: Unable to create listening socket on conn inet:8891@localhost

      I have not figured out the true cause of my problem but I have stumble upon a workaround.

      In /etc/opendkim.conf I changed …
      Socket inet:8891@localhost
      to …
      Socket inet:8891@127.0.0.1

      In /etc/mail/sendmail.mc I changed …
      INPUT_MAIL_FILTER(opendkim', S=inet:8891@localhost’)dnl
      to …
      INPUT_MAIL_FILTER(opendkim', S=inet:8891@127.0.0.1′)dnl

      I can’t explain why this is a fix. I’m 7 months late to help Raminda but maybe another googler will find this helpful.

      Reply
  87. Paul

    Great tutorial, thanks a lot.

    Im having a hard time telling if my DKIM is working or not.

    Brandons DKIM checker says its ok, but when I send to GMail, I see that the DKIM signature is being added. However, GMail is not showing that an “Authentication-Results” header has been added.

    I was prevoiously haviong problems, and GMail did add an “Authentication-Results” header. Is this header only added when the DKIM verification fails, or should there be one when DKIM passes too?

    Reply


  88. Great tutorial, thank you very much.

    One tip for everyone though: I recommend executing the chown command at the end, escpecially if you created files using

    touch /etc/opendkim/KeyTable (if run by root, opendkim user wont be allowed to access the file)

    So, when finished with everything, if mail doesnt get send when OpenDKIM enabled, run chown again.

    chown -R opendkim:opendkim /etc/opendkim

    Bye:)

    Reply
  89. Nick

    Great tutorial Steve!

    I have everything setup correct, except its not actually signing the emails and there is nothing related to SIGNING in the log. Startup info is in the log, but no error or anything when a piece of mail is sent.

    I can only think its because I have my domain on another server, would this be correct? I setup the DNS on the other server with the dkim key, but do I need to setup a subdomain and point it to the server with the opendkim on it as well? Or, can I simply have ANY domain be on the opendkim (even if its not the “sending / from” domain)?

    The only other thing I can think, in the event that I can use ANY domain on the opendkim server and it doesn’t have to be the SENDING server (from name domain), that it could be because I am testing with Amazon SES on the command line and it doesn’t necessarily perhaps properly fill out the return path?

    Wish I could get more info from the log file but its just not even signing anything or giving me any info!

    Thanks for any help anyone..

    Reply
  90. Donnie

    Hi
    Excellent Howto and good tutorial.

    i followed your tutorial and was able to install it. but i get the following Header in hotmail when i check it.

    x-store-info:4r51+eLowCe79NzwdU2kRyU+pBy2R9QC3Jx2/BsS+hK7OuBZi7BRB/Is4oUCB0t5q3uTQvBaMi+N7tkkYUjPs8IELCmQgn/yVn9uPYmce2L0EJqvUykwYg==

    Authentication-Results: hotmail.com; sender-id=temperror (sender IP is xx.xx.xxx.x) header.from=reply@test.com; dkim=none header.d=test.com; x-hmca=none

    X-Message-Status: n:0:n

    and i dont see any headers any signatures of dkim and domainkeys in my source..

    Thanks im advance

    Reply

    1. Unless you own the test.com domain (and I’m assuming you don’t), then the Hotmail test SHOULD fail on this example. DKIM checks the signature in your header against the one published in the DNS record for the stated domain. And if you don’t see any DKIM sig in your header, then something’s not set up right. Have you gone through all the troubleshooting steps? If so, have you turned on LogWhy? That should tell you why it’s failing. If that still doesn’t help, come ask your question on the OpenDKIM-Users mailing list. I’m sure we can get it sorted out over there. :)

      Reply
  91. sharol

    Hello
    Can anyone tell me simple steps which can do this things automatically.
    I use interspire,vps,linus,centos

    please assist

    Reply

    1. Hit the link at the top of the article about using Yum to install. That’s as automated as it gets. :)

      Reply

  92. Stacker

    Hi,
    If i use multiple postfix instances (with separate config directorys) your guide should work?

    Thanks,
    StaCker

    Reply
  93. Denis

    Hi Steve,

    thank you for this howto.
    As Niel I got, a “connect to Milter service inet:127.0.0.1:20209: Connection refused” in my log.
    I am on Debian Lenny, so I have used the “generic” script found contrib/init.
    When I start dkim by doing “/etc/init.d/opendkim start” I got no message at all…
    Could you help me finding the problem ?
    Sorry for my english level that is as good as my linux level.

    Thanks again
    Denis

    Reply
  94. Denis

    Hi all,
    I answer to myself.
    Thanks to Murray help, I saw that opendkim wasn’t running at all after the start command.
    The problem was that the PATH in opendkim.conf were on usr/sbin and not usr/local/sbin.
    thanks for your help
    Denis

    Reply
  95. sateesh

    Configured Opendkim, and reverse dns but still mails is going to spam its self

    This is the error log
    Jun 28 21:16:08 postfix/cleanup[16658]: CB94F231EB7: message-id
    Jun 28 21:16:08 postfix/qmgr[16654]: CB94F231EB7: from=<root@fi
    Jun 28 21:16:10 postfix/pickup[16653]: 43EB7231EBB: uid=0 from=
    Jun 28 21:16:10 postfix/cleanup[16658]: 43EB7231EBB: message-id
    Jun 28 21:16:10 postfix/qmgr[16654]: 43EB7231EBB: from=<root@fi
    Jun 28 21:16:13 postfix/smtp[16660]: CB94F231EB7: to=<sateesh.h 8, delays=0.07/0.01/0.99/3.7, dsn=2.0.0, status=sent (250 2.0.0 OK 1340878473 pv
    Jun 28 21:16:13
    postfix/qmgr[16654]: CB94F231EB7: removed
    Jun 28 21:16:13 postfix/smtp[16664]: 43EB7231EBB: to=<sateesh.h 5, delays=0.05/0.01/0.94/2.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1340878473 ps
    Jun 28 21:16:13 postfix/qmgr[16654]: 43EB7231EBB: removed

    Reply

  96. JK

    If you’re receiving the following errors in your maillog :

    .. no signing table match for
    .. no signature data

    Then try changing this in your SigningTable file :

    *@example.com default._domainkey.example.com

    to this, without the * :

    @example.com default._domainkey.example.com

    Worked for me on CentOS 64 bit, and a few others reported the same in a google search.

    Man file : http://www.opendkim.org/opendkim.conf.5.html

    Also, to the author, thanks for the tute, you may want to move the DNS chapter up a little, I didn’t notice it until well after I finished installation, and even then it was only by chance.

    Reply

    1. Hi, JK. Thanks for the comment. Out of curiosity, do you have “file:” or “refile:” in front of the SigningTable location in your opendkim.conf file? That makes a difference regarding whether the wild card * will work!

      Reply


  97. Matt Cain

    Thanks Steve,

    To also have OpenDKIM sign postfix generated bounce messages add this line to main.cf:

    internal_mail_filter_classes = bounce,notify

    Reply

  98. I got this working with SELinux enabled finally. You will just need a custom policy like this:

    module postfixcleanupopendkim 1.0;

    require {
    type postfix_smtpd_t;
    type postfix_cleanup_t;
    class tcp_socket { read write };
    }

    #============= postfix_cleanup_t ==============
    allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { read write };

    Not sure why it’s not part of the rpm, but there you go.

    Reply

    1. @Chris Hecker, thanks so much for that custom policy, just what I needed. It’s relevant on RHEL/Centos 6.x with postfix 2.6.6 and I’d recommend you post it on Steve’s other blog post about doing this same thing on 6.x.

      Reply

      1. Hey, Jonathan. I’ve actually been swapping emails with Chris in the hopes of getting his policy in the next version of the packaged files. Fedora 18 has a policy built in, but I’ll need to install a custom one for RHEL 5 & 5, and Fedora 16 & 17. I’m hoping to have it ready for the next update.

        Reply
  99. Antonio Díaz Meneses

    Hello Steve!

    Thansk for this great how-to.

    When I sent an email using the email server I got this:

    Jan 9 12:16:21 correo postfix/smtpd[16288]: connect from unknown[172.30.2.36]
    Jan 9 12:16:22 correo postfix/smtpd[16288]: 7BF5FA1B8045: client=unknown[172.30.2.36], sasl_method=LOGIN, sasl_username=antonio.diaz
    Jan 9 12:16:22 correo postfix/cleanup[16313]: 7BF5FA1B8045: message-id=
    Jan 9 12:16:22 correo opendkim[16211]: 7BF5FA1B8045: DKIM-Signature header added (s=default, d=example.com.ec)
    Jan 9 12:16:22 correo postfix/qmgr[16285]: 7BF5FA1B8045: from=, size=2861, nrcpt=1 (queue active)
    Jan 9 12:16:22 correo postfix/local[16314]: 7BF5FA1B8045: to=, relay=local, delay=0.78, delays=0.77/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
    Jan 9 12:16:22 correo postfix/qmgr[16285]: 7BF5FA1B8045: removed
    Jan 9 12:16:25 correo postfix/smtpd[16288]: disconnect from unknown[172.30.2.36]

    That is good

    But I am trying to fake the identity of a sender from a foreign host I got this:

    Jan 9 12:20:41 correo postfix/smtpd[16321]: connect from mail.attacker.com [211.211.111.59]
    Jan 9 12:20:54 correo postfix/smtpd[16321]: 49A67A1B8045: client=mail.attacker.com[211.211.111.59]
    Jan 9 12:20:59 correo postfix/cleanup[16326]: 49A67A1B8045: message-id=
    Jan 9 12:20:59 correo opendkim[16211]: (unknown-jobid): mail.attacker.com [211.211.111.59] not internal
    Jan 9 12:20:59 correo opendkim[16211]: (unknown-jobid): not authenticated
    Jan 9 12:20:59 correo postfix/qmgr[16285]: 49A67A1B8045: from=, size=480, nrcpt=1 (queue active)
    Jan 9 12:20:59 correo postfix/local[16327]: 49A67A1B8045: to=, relay=local, delay=11, delays=11/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
    Jan 9 12:20:59 correo postfix/qmgr[16285]: 49A67A1B8045: removed

    I need to reject (or discard) this kind of attempts when someone tried to send email messages with sender *@example.com from another non-authorized smtp host.

    Thanks for your appreciated help!

    Reply
    1. Antonio Díaz Meneses

      Hello Steve!

      I get messages with DKIM unverified remain in quarantine for a third-party software, and is actually the best, because I can manage those messages.

      I have a question … how I can make messages that come through SASL authenticated, regardless of source IP address, get the DKIM signature to be considered valid messages?

      Again, Thanks for your help.

      Reply
  100. Probot

    HI!
    You should change the
    Canonicalization relaxed/simple

    to
    Canonicalization relaxed/relaxed

    (Google uses also relaxed/relaxed) otherwise yahoo would fail with the dkim error perm error (bad sig).

    Greetz

    Reply

  101. Hey Steve. Thank you for an excellent tutorial. Postfix is talking to OpenDKIM, etc, I’ve gotten past all my issues using maillog except a finall.. No output.. The last issue I had was “key not secure” and I chowned it to opendkim.opendkim and mod’d to 600. Restarted all and now I get no log message.. No Error BUT also no message saying a mail was signed… Any ideas? Does Why=yes still verbose a sucessfully signed message? Thanks!

    Reply

  102. Steve, I figured out my own issue.. If you use the yum install (I’m on RHEL 6.3) it defaults the mode to “v” rather than “sv”.. Might be helpful for future users. Thanks again for the tutorial!

    Reply

  103. jjsolutions

    Hi I make a small script For generating DKIM key for CentOS 6.x
    It is well tested and help you guys …

    #############################################
    # #
    # OPENDKIM INSTALLATION #
    # #
    #############################################

    ############# PRE-INSTALLATION STATUS #############################

    # Find Os name and details
    echo -e ” os name is cat /etc/issue

    # you must be login with Root
    echo -e ” You login with who

    #checking version of postfix
    echo -e “postconf mail_version

    #Checking Sendmail status
    echo -e “service sendmail status

    ############ INPUTS #####################
    # Enter Hostname
    echo -e “Enter Hostname ”
    read host

    # Enter domain-name
    echo -e “Enter domain name”
    read domain

    #Enter selector
    echo -e “Enter selector ”
    read select

    ######## DOWNLOAD AND INSTALLATION OF OPENDKIM PACKAGE ###########
    cd /usr/local/src
    # Download data
    wget http://sourceforge.net/projects/opendkim/files/Previous%20Releases/opendkim-2.4.2.tar.gz/download

    ## Installation of packages .
    yum install sendmail-devel openssl-devel -y
    yum install gcc -y
    yum install make -y
    tar zxvf opendkim-2.4.2.tar.gz
    cd opendkim-2.4.2
    ./configure –sysconfdir=/etc –prefix=/usr/local –localstatedir=/var
    make
    make install
    adduser opendkim
    groupadd opendkim
    groupadd mail
    opendkim -s /sbin/nologin
    mkdir /var/run/opendkim
    useradd -G mail opendkim
    usermod -c “OpenDKIM” opendkim
    chown opendkim:opendkim /var/run/opendkim
    chmod 700 /var/run/opendkim
    mkdir -p /etc/opendkim/keys
    chown -R opendkim:opendkim /etc/opendkim
    chmod -R go-wrx /etc/opendkim/keys
    cp /usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim /etc/init.d/
    chmod 755 /etc/init.d/opendkim

    ############################ CONFIGURATION ##############################
    ##### Generate key for signing #######
    mkdir /etc/opendkim/keys/$domain
    /usr/local/bin/opendkim-genkey -D /etc/opendkim/keys/$domain/ -d /$domain -s $select
    chown -R opendkim:opendkim /etc/opendkim/keys/$domain
    mv /etc/opendkim/keys/$domain/$select.private /etc/opendkim/keys/$domain/$select

    ########## EDIT Configuration file /etc/opendkim.conf ##########
    echo -e ” AutoRestart Yes
    AutoRestartRate 10/1h
    Canonicalization relaxed/simple
    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
    InternalHosts refile:/etc/opendkim/TrustedHosts
    KeyTable refile:/etc/opendkim/KeyTable
    LogWhy Yes
    Mode sv
    PidFile /var/run/opendkim/opendkim.pid
    SignatureAlgorithm rsa-sha256
    SigningTable refile:/etc/opendkim/SigningTable
    Socket inet:8891\@localhost
    Syslog Yes
    SyslogSuccess Yes
    TemporaryDirectory /var/tmp
    UMask 022
    UserID opendkim:opendkim ” > /etc/opendkim.conf

    ##### CREATE FILE /etc/opendkim/KeyTable #######
    touch /etc/opendkim/KeyTable
    echo -e “$select._domainkey.$domain $domain:$select:/etc/opendkim/keys/$domain/$select” > /etc/opendkim/KeyTable

    ###### CREATE FILE /etc/opendkim/SigningTable ########################
    touch /etc/opendkim/SigningTable
    echo -e “* $select._domainkey.$domain” > /etc/opendkim/SigningTable

    ###### CREATE FILE /etc/opendkim/TrustedHosts ######
    touch /etc/opendkim/TrustedHosts
    echo -e ” 127.0.0.1
    $host” > /etc/opendkim/TrustedHosts

    #### ADD Lines In Postfix/main.cf #####
    echo -e “smtpd_milters = inet:127.0.0.1:8891
    non_smtpd_milters = $smtpd_milters
    milter_default_action = accept
    milter_protocol = 2 ” >> /etc/postfix/main.cf

    ###### RESTART SERVICES ################################
    hash -r
    service opendkim restart
    service postfix restart
    chkconfig –level 2345 opendkim on

    ############## TROUBLE-SHOOTING ###########
    ### FOR DKIM KEYS ####

    cat /etc/opendkim/keys/$domain/$select.txt

    ############ Good LUCK #############

    Reply

    1. Thanks – that script looks good, but I think it’s even easier just to install the EPEL repo in CentOS and do ‘yum install opendkim’ :)

      Reply
      1. jjsolutions

        But it will automatically update opendkim configuration files.
        Thanks for considering my script . I am new to OpenDkim and learn new things about it .Thanks again..

        Reply

  104. Thanks for the tutorial. I followed it, have it installed, but for some some reason, I’m receiving a “no signing table match for test@test.com“. I run an outgoing email marketing server for multiple clients and not sure if that’s the issue. I tried setting the email test@test.com directly into the SigningTable file, that didn’t work. I tried wildcarding the emails like you suggested, didn’t work. I tried setting the ReturnPath email in the SigningTable file, didn’t work. I tried

    Any thoughts on what’s going on or what I can try?

    Cheers!

    Reply
  105. Ruben Sedano

    Hi Steve, I have a question for you, in signin table its posible that a email *@mydomain.com have two header DKIM signature ? for example I have domain1.com and domain2.com, I want to add to email of domain2.com two headers DKIM sign (domain1.com and domain2.com)
    Its posible using signingtable file, I try the following but I can´t add signatures:

    *@domain2.com mail._domainkey.domain2.com
    *@domain2.com mail._domainkey.domain1.com

    Only add 1 signature and was the first.
    Best Regards.

    Reply


  106. after i read ur posting , finally im success adding signature private key.
    and im success adding dns record , i have check my selector via web checker and it appear.
    But untill now im confuse , because any error in my log

    Aug 1 15:09:43 jiepzmco601 opendkim[4238]: D855E84C96: DKIM-Signature header added (s=default, d=e.example.com)
    Aug 1 15:15:49 jiepzmco601 opendkim[4238]: OpenDKIM Filter: mi_stop=1
    Aug 1 15:15:49 jiepzmco601 opendkim[4238]: OpenDKIM Filter v2.6.7 terminating with status 0, errno = 0
    Aug 1 15:15:50 jiepzmco601 opendkim[12850]: OpenDKIM Filter v2.6.7 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim

    But if i send mail to user , it is not authenticated like below :

    Authentication-Results: mta1064.mail.ne1.yahoo.com from=e.example.com; domainkeys=neutral (no sig); from=e.example.com; dkim=neutral (no sig)

    Reply

Leave a Reply