DKIM Test Message

Installing OpenDKIM RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora) 145

For those who want or need to compile and install OpenDKIM from the source code, you can follow the instructions I wrote in this article.

If you’re looking for the fastest and easiest way to get OpenDKIM running on a RedHat or CentOS system, I currently maintain the OpenDKIM package in the Fedora and EPEL repositories. This article will help you install the RPMs and then configure OpenDKIM with Postfix or Sendmail.

DomainKeys Identified Mail (DKIM) is the up-to-date replacement system for the now obsolete DomainKeys email authentication system. For general information about DKIM, check out For more information about the OpenDKIM project, check out

Before you start

This tutorial assumes the following:

  • You are running a “modern” RedHat-compatible Linux distro (RHEL 5/6/7, CentOS 5/6/7, Fedora, etc).
  • You are running a milter-aware MTA, such as Postfix 2.3.3 or newer (do postconf -d mail_version to check) or Sendmail.
  • Your Postfix or Sendmail configuration is currently working (this is very important – you don’t want to troubleshoot two programs at once).
  • If you’re using Postfix, Sendmail is turned off (do service sendmail status to verify).
  • If you’re using Sendmail, Postfix is turned off (do service postfix status to verify).
  • The necessary commands in this tutorial are done as root. If you don’t know what that means, then you probably shouldn’t be doing this. You may be able to get away with just using sudo, but I wanted to make sure I didn’t run into any path issues, so I do it as root.

Install OpenDKIM with Yum

If you’re running Fedora 14 (or newer) or RHEL/CentOS 5 (or newer) then you can use Yum to quickly install OpenDKIM (RHEL/CentOS users must have the EPEL repositories enabled). Just do:

yum install opendkim

This will download and install OpenDKIM with all the default configuration options included below.

For those who like getting their hands dirtier, you can manually download one of my RPMs or even build your own RPM from my Source RPM, which are all available through the Fedora BuildSystem.

Generate keys for signing

Now you’re getting to the fun part. You need to generate a private and a public key (called a keypair) for each of the domains for which you wish to sign mail. The private key is stored away from prying eyes on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail.

As of version 2.10.1-2 of the OpenDKIM package, the RPM no longer auto-generates a default set of keys on initial start-up. However, immediately following installation, you can run the following as a privileged user to generate a default set of keys in in /etc/opendkim/keys/ using your server’s domain name and the selector name “default. This script will also set the proper ownership and permissions for your default keys:


If you want to sign outgoing mail for additional virtual hosts, or use a different selector name than then default, or change any other options, it’s very easy to generate your own keys manually. But if you’re happy with the default keys, you can move on to the next step.

Before building your keys manually, decide what the name of your selector will be. A selector is a unique keyword associated with both keys (public and private), included in all DKIM signatures, and published in via your DNS records. For simplicity, I use the word default as my default selector. Feel free to choose something different, but if you do, you’ll need to use it consistently throughout your setup. Also, while this should go without saying, you should use your mail domain instead of throughout the following steps.

Manually create your keys with:

mkdir /etc/opendkim/keys/
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/ -d -s default
chown -R root:opendkim /etc/opendkim/keys/
chmod 640 /etc/opendkim/keys/
chmod 644 /etc/opendkim/keys/

You can do a man opendkim-genkey if you’re interested in what additional options are available when creating your keys. In this example, I used the -D (directory) option, the -d (domain) option, and the -s (selector) options. That’s all you need to get this going.

Edit the configuration files

You’re getting really close now. You need to create and/or edit four files:

  1. /etc/opendkim.conf – OpenDKIM’s main configuration file
  2. /etc/opendkim/KeyTable – a list of keys available for signing
  3. /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
  4. /etc/opendkim/TrustedHosts – a list of servers to “trust” when signing or verifying

On install, the RPM package should have created a simple /etc/opendkim.conf file on your system. Because signed outbound mail could get flagged as Spam if sent before your DNS DKIM text records are properly set up, the default operating mode set by this file is verification only (v). This means that order to sign outgoing mail, you’ll have to comment, uncomment, and configure some additional options in the configuration file. Use your favorite text editor to open /etc/opendkim.conf and make it look like this:


# Specifies the path to the process ID file.
PidFile /var/run/opendkim/

# Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode    sv

# Log activity to the system log.
Syslog  yes

# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes

# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes a large increase in the amount of log data generated
# for each message, so it should be limited to debugging use only.
#LogWhy yes

# Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

# Create a socket through which your MTA can communicate.
Socket  inet:[email protected]

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask   002

# This specifies a file in which to store DKIM transaction statistics.
#Statistics              /var/spool/opendkim/stats.dat


# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization        relaxed/simple

# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.

# Defines the name of the selector to be used when signing messages.
Selector                default

# Gives the location of a private key to be used for signing ALL messages.
#KeyFile                 /etc/opendkim/keys/default.private

# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# setting in the configuration file.
KeyTable                 refile:/etc/opendkim/KeyTable

# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys.
SigningTable                 refile:/etc/opendkim/SigningTable

# Identifies a set of "external" hosts that may send mail through the server as one
# of the signing domains without credentials as such.
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

# Identifies a set internal hosts whose mail should be signed rather than verified.
InternalHosts           refile:/etc/opendkim/TrustedHosts

You can do man opendkim.conf for more information on each of the options in this file.

Uncomment the Domain option (and include your actual domain name), the KeyTable, SigningTable, ExternalIgnoreList, and InternalHosts options. Also, since you’ll be using a KeyTable, you can comment the KeyFile option.

Next, you’ll need to create the three text files that you just uncommented in your config file. First, using your favorite text editor, create an /etc/opendkim/KeyTable file that looks like this:

The KeyTable file tells OpenDKIM where to find your keys. Each entry in the KeyTable file is a single line for each key location (for example, all of the text in the above example should be on a single line in your file). If you’re going to use multiple keys (to sign mail for virtual domains with different keys, for example), you’ll need to create a separate line in the KeyTable file for each domain, like this:

Next, you need to create or edit the /etc/opendkim/SigningTable file. A default version of this file should have been installed in /etc/opendkim when you installed the RPM, so just uncomment the following line (or edit the file to include this line) so it reads:


The SigningTable file tells OpenDKIM how to use your keys, as in which senders should use which selectors for their signatures. In the above example, I’m saying that everyone (*) sending mail from the server “” should use the selector named “default.” Again, for multiple domains and/or users, you’ll need multiple lines, like this:

[email protected]
[email protected]

In that example, everyone (*) sending mail from the server “” can sign mail and should use the selector named “default.” But only Bob and Doug can sign mail for “” (also using a selector named default). It’s important to note that the * wildcard symbol will only work if the SigningTable option uses the refile: prefix before the filename (see the opendkim.conf documentation for more details).

Next, create an /etc/opendkim/TrustedHosts file that looks like this:

The TrustedHosts file tells OpenDKIM who to let use your keys. Because it’s referenced by the ExternalIgnoreList directive in your conf file, OpenDKIM will ignore this list of hosts when verifying incoming mail. And, because it’s also referenced by the InternalHosts directive, this same list of hosts will be considered “internal,” and OpenDKIM will sign their outgoing mail.

IMPORTANT: Make sure you list the IP address for localhost ( in the TrustedHosts file or OpenDKIM won’t sign mail sent from this server. If you have multiple servers on the same network that relay mail through this server and you want to sign their mail as well, they must be listed in the TrustedHosts file. Put each entry on its own line. An entry can be a hostname, domain name (e.g. “”), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. “”).

It should also go without saying (but I’ll say it anyway) that if you’re planning to sign outgoing mail for remote hosts, your mail server should have been previously configured to allow relaying for those hosts.

Using OpenDKIM with SQL Datasets

For more advanced configurations that are using SQL datasets on a systemd-based server (if you don’t know what this means, then don’t worry — this doesn’t apply to you), the opendkim service may not start after a reboot — and you won’t get any error or warning message to help figure out why.

To solve this, you’ll need to tell systemd to start the opendkim service after the database servers by referencing your database unit file(s) in the “After” section of the OpenDKIM unit file.

For example, if using both MariaDB and PostgreSQL, in /usr/lib/systemd/system/opendkim.service change:

to: mariadb.service postgresql.service

Thanks to George Notaras for finding this issue and suggesting the workaround.

Edit your MTA configuration

Now you’re ready to tell your MTA about OpenDKIM.

Postfix Users:

Telling Postfix about OpenDKIM is easy. Just add the following lines to your Postfix file:

smtpd_milters           = inet:
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept

If you’re running a version of Postfix prior to 2.6, you may need to add:

milter_protocol   = 2

See for more info.

Don’t restart Postfix yet! You need to have OpenDKIM running first, or you’ll get errors in your maillog.

Sendmail Users:

Edit the .mc configuration file that was used to build your current file. Add the following line:

INPUT_MAIL_FILTER(`opendkim', `S=inet:[email protected]')

Then build and install a new If you don’t know how to build and install a file, a quick Web search should shove you in the right direction. Explaining how to do that is beyond the scope of these instructions. I will, however, remind you that backing up your current file is a good idea before you attempt any modifications.

Start OpenDKIM and restart your MTA

It’s time to fire things up! Assuming you’re using bash, do:

hash -r

to rehash your shell so you can find the init script.

Depending on whether your system uses SysV or systemd, start OpenDKIM with either:

service opendkim start


systemctl start opendkim

On SysV systems, you should get a message that says:

Starting OpenDKIM Milter:     [  OK  ]

However, if you get an error message such as:

Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 6: unrecognized parameter

don’t freak out. You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this article. Then try starting up OpenDKIM again.

On a systemd system, you can verify that OpenDKIM started properly with:

systemctl status opendkim

You should get something like:

opendkim.service - DomainKeys Identified Mail (DKIM) Milter
   Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled)
   Active: active (running) since Tue 2015-03-24 10:29:56 MDT; 46s ago
     Docs: man:opendkim(8)
  Process: 6403 ExecStart=/usr/sbin/opendkim $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 6404 (opendkim)
   CGroup: /system.slice/opendkim.service
           ââ6404 /usr/sbin/opendkim -x /etc/opendkim.conf -P /var/run/opendkim/

Mar 24 10:29:56 systemd[1]: Started DomainKeys Identified Mail (DKIM) Milter.
Mar 24 10:29:56 opendkim[6404]: OpenDKIM Filter v2.10.1 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/

Once you’ve confirmed OpenDKIM has started, restart your MTA. Postfix users should refresh Postfix with:

postfix reload

and Sendmail users should do:

service sendmail restart

If everything looks good, set OpenDKIM to auto-start on boot. SysV users should do:

chkconfig opendkim on

and systemd users should do:

systemctl enable opendkim

Adding DNS Records

Now that your mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed. Do:

cat /etc/opendkim/keys/

The output should look something like this:

default._dkim IN TXT ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB" )  ; ----- DKIM default for

If you manage your own DNS or have full access to your domain’s zone file, you’ll need to paste the entire contents of the default.txt file at the bottom of your domain’s zone file. If you’re using a web interface to manage your zone file, be careful that the long lines of the public key don’t wrap and create line-feed characters (or fix them if they do). Otherwise, your public key won’t work.

If you’re using a web-based DNS interface (like GoDaddy or CloudFlare), the Name of the TXT record would  default._dkim and the Value of the TXT record would be everything from the first quote to the last quote (starting with “v=). You can ignore the parentheses, semi-colon, and comments at the end. In the above example, what you’d paste in as the value would be:

"v=DKIM1; k=rsa; "

If you’re using some other third-party DNS provider, follow their instructions for adding a new TXT Record.

And, as long as you’re messing with your domain’s zone file, now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.

Testing Things Out

As I mentioned in my troubleshooting tips, the best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file. Do a:

tail -f /var/log/maillog

When OpenDKIM starts (or restarts), you should see lines like:

opendkim[4397]: OpenDKIM Filter: mi_stop=1
opendkim[4397]: OpenDKIM Filter v2.10.1 terminating with status 0, errno = 0
opendkim[27444]: OpenDKIM Filter v2.10.1 starting (args: -x /etc/opendkim.conf)

When you send a mail that gets successfully signed, you should see:

opendkim[22254]: 53D0314803B: DKIM-Signature header added

The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services. My favorites are:

Each of these will tell you if things are working properly, and give you some pointers on troubleshooting if needed.

If you have a Gmail account, you can also send a signed message there for a quick and easy test. address Here’s what a signed message in Gmail will look like:

DKIM Test Message

Look, Ma! My emails have DKIM Signatures!

The signed by: line tells you that the message has been verified as signed by the sender (you may need to press the show details link near the top of the message to see it). I like to click the Show Original link (under the Reply drop-down on the right) to see the signed headers in all their glory. 🙂

Troubleshooting Tips

Tip 1: The best advice I can give when troubleshooting any mail issues (including OpenDKIM) is to start a second shell session in another window and do:

tail -f /var/log/maillog

while you’re starting, stopping, and/or restarting OpenDKIM and your MTA. This allows you to see more details about any errors in your configuration.

Tip 2: If OpenDKIM is starting properly and logging to your mail log, but your outgoing mail isn’t getting signed, the first thing to check is whether the default operating mode is still set to the default verification only (v) instead of sign and verify (sv) in /etc/opendkim.conf. Change the Mode to sv, restart OpenDKIM, and try sending your test message again.

Tip 3: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn’t getting signed and you want to know why, this should tell you.

Tip 4: If you can’t get things working on your own, I recommend subscribing to the OpenDKIM-Users discussion list at It’s a low-traffic list with very helpful and friendly members (including me!) who are happy to nudge you in the right direction.

Automating Configuration and Key Generation for Multiple Domains

If you’re hosting a large number of domains, generating keys and editing all the appropriate files can be time-consuming. The following script was submitted by a reader (Almir Duarte Jr.) to help speed up the process. Use at your own risk.

Further reading

  • – the official site for DomainKeys Identified Mail
  • OpenDKIM Project Site – the program I used to get DKIM working
  • Sendmail DKIM – a detailed article from Eland Systems about DKIM. They use the dkim-milter package, upon which OpenDKIM is based. I much prefer the newer OpenDKIM, but this article explains DKIM very well and has some good tips.
  • Mail-DKIM and DKIM-proxy – my first experiments with DKIM were with these tools. I never got it working quite right, but there’s lots of good info there.
  • – not technically related to DKIM, but it’s another spam-fighting technique that you should be using if you’re sending email
  • My OpenDKIM GitHub repo – if you’d like to mess with the SPEC file or patches that I use to create the OpenDKIM package in the Fedora & EPEL repos, knock yourself out! Please fork the “develop” branch and submit your pull requests there, as the “master” is intended only for release versions.

Good luck! Please post in the comments with your successes, questions, or suggestions.

  • Pingback: How to get DKIM (DomainKeys Identified Mail) working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM – Steve Jenkins' Blog()

  • Bill

    Thanks for providing these RPMs, it makes it much easier to install than the previous method of building from source (which I’ve been using for a while). These are excellent instruction for getting it working but there’s one error and a question. You have this at the “Edit Configuration Files” section:


    and you then reference the following (in line 61 of the conf file):


    On line 64 of the conf file you reference the dataset with a preceding “refile:” to the file name. In line 52 where you mention the KeyTable you omit the “refile:”, is this a change to the conf file or have you just missed that from a couple of those lines?

    Once again, many thanks for your wok on this.

    • Bill

      Oops, typing error. My last line should have read:

      Once again, many thanks for your work on this.

    • Hi, Bill. Ah – that was a typo on my part. I used to recommend “trusted-hosts” but then switched to “TrustedHosts” to be consistent. I’ve updated the HowTo. Thanks for the catch!

    • And to answer your other quesiton, the refile: prefix is only necessary if you want to use the wildcard * symbol in your files (like I do in my SigningTable). A very early version of OpenDKIM used to support regular expressions, and the term was kept in for backward compatibility, even though it no longer technically supports regex (or needs to). I now throw the refile: prefix at all the files, because I’ve been stumped in the past when troubleshooting things that weren’t working as I expected, and didn’t notice that I’d missed the prefix. So now I always use it, and avoid the “DOH!” moments. 🙂

  • Pingback: DKIM Proxy Install on CentOS 5.4 – Steve Jenkins' Blog()

  • ethilanka

    Im getting following error when i try to run ” /usr/local/bin/opendkim-genkey -D /etc/opendkim/keys/ -d -s default”

    -bash: /usr/local/bin/opendkim-genkey: No such file or directory

    Let me know which step i have missed…!


    • Do :

      which opendkim-genkey

      and it should tell you where it is on your server.

      • Robert

        My opendkim version is: 2.9.0
        I downloaded manual to my server and installed correctly.

        [[email protected] ~]# which opendkim-genkey
        /usr/bin/which: no opendkim-genkey in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
        [[email protected] ~]#

  • Eric

    Getting the error

    Oct 14 06:12:21 power opendkim[3408]: (unknown-jobid): no signing table match for ‘[email protected]
    Oct 14 06:12:22 power opendkim[3408]: C5D7A7070447: no signature data

    * default._domainkey.somedomain is in my SigningTable

    somedomain=my domain. I changed it as this is public and everbdoy can view it.

    Any ideas?

    • The “.com” is missing off your SigningTable line in this example, I’m assuming that’s in your actual signing table? Also, does your opendkim.conf file reference your SigningTable file with “file:” or “refile” in front of it? You need “refile” in order to use wildcards.

      • Eric

        Awesome! that appears to have fixed it however it appears in my mail log the signature is not being added.

        I went thew and double checked everything so what do you think is the issue?

        • There could be a lot of reasons. I’m assuming you followed the troubleshooting steps and set LogWhy to yes. If so, what does the log say is the reason for not signing?

          • Eric

            I did so and it still doesn’t Display it.

            Oct 14 06:34:19 power postfix/smtpd[3856]: connect from “CUT”
            Oct 14 06:34:19 power postfix/smtpd[3856]: 1EBD77070447: client=”CUT”, sasl_method=LOGIN, sasl_username=”CUT”
            Oct 14 06:34:19 power postfix/cleanup[3862]: 1EBD77070447: message-id=<[email protected]"CUT"
            Oct 14 06:34:19 power postfix/qmgr[3300]: 1EBD77070447: from="CUT", size=596, nrcpt=1 (queue active)
            Oct 14 06:34:19 power postfix/smtpd[3856]: disconnect from "CUT"
            Oct 14 06:34:19 power dovecot: IMAP("CUT"): Disconnected: Logged out

            You can see it's running tho

            Oct 14 06:33:35 power opendkim[3688]: OpenDKIM Filter: mi_stop=1
            Oct 14 06:33:35 power opendkim[3688]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0
            Oct 14 06:33:36 power opendkim[3830]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/

            Boy am I’m stupid lol

            I overlooked changing mode v to mode sv and it works now!

            Thanks for your help!

  • kan

    I used opendkim under CentOS-32 and worked fine without an issue.
    But I’m using opendkim under Centos-64 5.7, Postfix 2.3.3, opendkim 2.4.2 and I’m facing that Domain key =Failed.

    Yahoo check = PASS, Hotmail and Gmail=Fail
    brandonchecketts=Message does not contain a DomainKeys Signature
    Thank you

    • The results are accurate. DKIM is not the same as DomainKeys. DomainKeys is outdated, and replaced by DKIM, but Brandon’s tool allows you to check both. If Brandon’s site passes the DKIM check (again, different than a DomainKeys check), then you’re good to go.

      As an aside, you may want to consider upgrading your Postfix. I have a post here in my blog dedicated to building the latest version for CentOS and upgrading seamlessly.

      • Brad

        Doesn’t Yahoo still rely heavily on DomainKeys, though? Is it possible to use opendkim to sign with DomainKeys as well as DKIM? The code suggests it’s possible, but I’m not having much luck with configuring it.

  • JP

    In your notes about generating keys, you may want to note that /etc/rc.d/init.d/opendkim will automatically generate keys for the host domain upon initial startup unless this variable is changed in that file:

    You do say this will happen, but this is how to prevent it from happening in case you are generating individual keys by following the steps after that.

    • Good point, JP. I did include that support in the spec file for the package, but didn’t mention it in this article. I’ll add it. 🙂

  • This script will come in handy especially if you have several domains to do. It generates the keys, then performs steps 2,3, and 4 of “Edit the configuration files”:



    function makekey {
    mkdir /etc/opendkim/keys/$domain
    /usr/bin/opendkim-genkey -D /etc/opendkim/keys/$domain/ -d $domain -s default
    chown -R opendkim:opendkim /etc/opendkim/keys/$domain
    mv /etc/opendkim/keys/$domain/default.private /etc/opendkim/keys/$domain/default

    makekey $domain
    echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default" >>/etc/opendkim/KeyTable
    echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable

  • Anshul

    Hi Steve,

    Thanks for your blog. I followed step by step process whatever you defined here. But I am getting error in my log file when I try to send mails.
    opendkim[13511]: KeyTable entry for ‘’ corrupt

    • Based on the error message, it’s saying something is wrong with your KeyTable. Try recreating your KeyTable and be careful not to make any typos!

  • When I run:

    yum install opendkim

    I get this repsonse:

    Setting up Install Process
    No package opendkim available.
    Error: Nothing to do

    • Hi, Rick. What OS and version are you running?

      • RHEL 6

        • Thanks. And I’m assuming you have EPEL installed?

          • Perhaps not. How do I check?

          • Ah – I bet that’s it. 🙂 Scroll back up and look for the link to the EPEL setup instructions in the paragraph just before the “yum install opendkim” step.

  • I am getting pretty close. When I run:
    service opendkim start
    I get – configuration error at line 2: unrecognized parameter

    Line 2 is – PidFile /var/run/opendkim/

    I looked in the /var/run/opendkim folder and there is no file.

  • I still have two problems. For Umask 002 I am getting an Illegal value error.

    Then, when I try to start dkim, I get this error:

    : dkimf_db_open(): No such file or directoryndkim.conf: refile:/etc/opendkim/TrustedHosts

    • Hmm… I’ve never seen that Umask issue before, so I can only assume it’s related to something on RHEL6 – and I haven’t tested this on there yet. I’ll fire up a VM and test it out.

      However, the fact that you’re getting that error regarding the TrustedHosts file causes me to believe you’re missing some steps in the setup. In the “Edit the configuration files” step, it clearly states you have to create it. I’d re-read the instructions to make sure you’re not missing anything else.

      • I just fired up a vanilla CentOS 6 VM running Postfix 2.8.4, and then followed the instructions in this article exactly and got OpenDKIM running fine, so I’ve confirmed they work on EL6. My gut says you’re probably missing something simple in the instructions, so please go through them carefully. If you’re still having trouble, join the OpenDKIM-users mailing list and we can figure it out over there. 🙂

  • Thanks Steve. I joined the list and posted full details to the list.

    • John Low

      Thanks Steve for this wonderful step-by-step guide.

      Hi Rick,

      I ran into the same issue as you.

      So, I commented out UMask and am now getting the error:
      : dkimf_db_open(): No such file or directoryndkim.conf: refile:/etc/opendkim/TrustedHosts

      Therefore, greatly appreciate if you can share the solution.

      • Is your TrustedHosts file in the /etc/opendkim directory?

        • John Low

          Yes Sir. There are 3 files: KeyTable, SigningTable and TrustedHosts in the directory. There is also the keys subdirectory.

          There are 4 lines in the TrustedHosts:

          [our ip address]
          [our domain name]

          • Hmmm…. Come join the OpenDKIM-users email list and I know we can sort it out.

          • John Low

            Hi Steve

            Tried to join the list but received this weird error email reply after I replied to the email “Subscription confirmation for ‘opendkim-users’‏”…

            >> �6�{��{�u&�� ]� �8��� 4�Z� �b���k�b� �� �vH�����:���g��,��h�f� �( �n7�
            >> �n�+� b�w( �� �b�w��)zwd�o� �������g��,��h�f� �(����z�^v�Z *.m�.n�+�
            >> ��^ ” ��z &j)b� b� ��� �� ��m��z r��a�ɞ�Ơ{�^j����^ �,j ����)�i���
            >>  ay�%��”� b �” ��j)m����k����l��^ ” �+������o���� � �vH������yh�����fj)�r���
            >> A�A
            Unknown command.

            Seems like it’s not gonna be my day… 🙁

          • John Low

            Hi Steve

            Turns out that at least one of the files were corrupted. I recreated them and the errors are gone.

            Now, I’m able to receive email but nothing gets sent. Has this anything to do with DKIM?


          • OpenDKIM won’t prevent your mails from sending. Was your mail server functioning properly before trying to set up OpenDKIM?

          • John Low

            You’re right Steve.

            Mails are just not getting sent via port 25… I’m so sorry for the trouble.

            Cheers and have a good day 😀

          • Glad it was something simple! 🙂

  • Nick

    Thanks for the fine tutorial.

    A short question: When defining


    does this affect subdomains too, or we must define any subdomains explicitly?

    For example, mail from will also be signed?


    • Subdomains are considered different domains. You can ignore the “Domain” directive if you use the SigningTable, and include all your domains and subdomains for which you wish to sign in there instead.

      • flexic

        Related to subdomains, we have a couple older servers setup for dkim-milter so they have their own selectors (ex: and I am setting up a new server with OpenDKIM, should I change the configs for all mail servers to use the same pub/private keypair and reference ? If not how would I setup the various keytable files to handle the new server, say

  • Just wanted to say “Thanks!” With your walkthrough, this was easy as could be.

  • Gavin

    Hi There, This guide helped me greatly – i managed to get DKIM working for all my 3 domains under postfix 2.3.3. However a recent plesk update very kindly updated my postfix to 2.8.4 and now things have changed – the DKIM signature is added via server webmail (signature works and is validated)- however emails sent from Outlook/Entourage sent through the postfix (using same authentication details) server do not get the signature added at all. I have ensured all IP addresses are add to the TrustedHosts file. Would you have any suggestions ?

  • iliya

    Thank you very much! Awesome tutorial, I’ve set up dkim within half an hour.

  • I overlooked changing mode v to mode sv and it works now!

    I missed this part too. While this excellent article does give you the instruction to make your opendkim.conf “look like this”, it’s a bit misleading that all the other changes are explicitly mentioned. It took me a good while to figure out why my mails weren’t getting signed, though in hindsight the Mode being left at the default of “v” was obvious.

    Thanks for this extremely insightful article. After setting up OpenDKIM my server e-mails are finally getting through to Gmail inboxes. Thanks!

  • Pingback: ServerGrove Blog » Blog Archive » Best practices to send out emails with your server()

  • Pingback: Rapid Cognition :: DKIM with Postfix on CentOS 6()

  • hi,

    i have installed EPEL repositories, but cant get “yum install opendkim” to work. centos 5, any idea?

    Thank you

  • One big thanks to this great tutorial.

    DKIM are working even better than expected for our emails 🙂

  • Excellent guide, Steve. Now have DKIM installed like a boss.

  • oscar

    Hi Steve I have made the guide with no problems! Its very well explained 🙂

    Just that sometimes on hotmail I got DKIM pass and sometimes PermError


    X-SID-PRA: [email protected]
    X-Message-Status: n:0:n
    X-SID-Result: Pass
    X-DKIM-Result: PermError
    X-AUTH-Result: PASS


    X-SID-PRA: [email protected]
    X-Message-Status: n:0:n
    X-SID-Result: Pass
    X-DKIM-Result: Pass
    X-AUTH-Result: PASS

    That test was on the fly, one mail behind other, and trying a few times it changes sometimes pass and sometimes PermError

    Any idea? :/


    • oscar

      Sorry I have an error on the key

      The k was missing on the key rsa value

      v=DKIM1; =rsa; p=MIGfMA0GCSqGSIb3DQ….

      But without the K sometimes hotmail return X-DKIM-Result: Pass

      Now I correct it always is marked with X-DKIM-Result: Pass

      Thanks 🙂

  • Hi Steve this is a great post! I created a simple bash script based a little off your post to automate the process a little more, espcially if you’re trying to sign lots of domains at once. Check it out here:

  • JK

    opendkim is signing all email for all domains, even though I set it to sign only a specific domain. Any fix for this?

  • Pingback: Steve Jenkins' Blog How-To: Postfix configuration to reduce Yahoo deferrals using Transport Maps | Steve Jenkins' Blog()

  • Really great tutorial, thanks a ton for putting it up. It worked perfectly, I just had to also change the /etc/sysconfig/opendkim AUTOCREATE_DKIM_KEYS=NO like JP says above to keep it from generating keys on startup. Hotmail and gmail are both passing dkim now, and I’m going to check everybody else now. Thanks again!

  • Alan munoz

    Hi Steve, excelent tutorial, But i can’t get signed my emails, i did everything step by step and i have no errors or missing any configuration, i have recheked some times. My emails are not signed yet, i add the TXT records yesterday and is not correct 24 hours after. What i can check to get this solved?

    I apreciate your help.

  • David B

    Hello. Great article, thanks for the tutorial . I’m newbie with DKIM and postfix but with this excellent tutorial mails was signed at the first run!!

  • Peter Jamnicky


    Thank you. Great, great, great… This is only one good guide.

    correct any my problems 🙂

  • Pingback: Adventures with DKIM | The Lunching Friar's Tale()

  • Thanks Steve. Good Job 🙂

  • Pingback: Enterprise Class Mail Server « Linux Server Configuration()

  • Steve,

    This is a wonderful guide, and I’m now using DKIM correctly and it’s working in all cases except one. Our mail server runs a script to deliver a mailing list to our clients. How it works is that it generates an email file on disk, and then runs “cat /path/to/tempfile | sendmail -t [email protected]” so that the sendmail script parses the tempfile for addresses to send the email to. The headers of the email contain the recipients in a bcc header.

    The problem appears to be that the sendmail script does not connect to the smtp server (postfix) via TCP connection, EG:, and so emails processed this way do not appear to be getting signed. Any idea how we can add local file sockets to the TrustedHosts file?

    Server Config:
    CentOS 6
    opendkim-2.7.3-2.el6.i686 from epel


    With this config, dkim signatures appear in emails sent from using sendmail -t, but not when using sendmail -t on the mail server itself. Also, the email headers as received by the recipients doesn’t contain an expected header like:

    Received: from ourserver ( [])
    by (Postfix) with ESMTP id 865A0C03C9
    for ; Tue, 8 Jan 2013 02:02:42 +0000 (UTC)

    It’s this missing header which makes me suspect that it’s not matching TrustedHosts entry.

    • Cause found, original post can be deleted. postfix change from

      non_smtpd_milters = $smptd_milters
      # to
      non_smtpd_milters = $smtpd_milters

      # note $smptd_milters should be $smtpd_milters

  • Akram

    Hello, thank you for your post, it is really helpful and well explained. I followed all those step, but my email still don’t integrate the dkim signature, i don’t know why. when i test sending email, i get this header.

    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from ( [])
    by (Postfix) with ESMTP id 2E7CA3A38009
    for ; Sat, 12 Jan 2013 12:55:15 -0500 (EST)
    Received: from (localhost [])
    by (8.14.4/8.14.4) with ESMTP id r0CHtEsp032049
    for ; Sat, 12 Jan 2013 20:55:14 +0300
    Received: (from [email protected])
    by (8.14.4/8.14.4/Submit) id r0CHtE2a032047
    for [email protected]; Sat, 12 Jan 2013 20:55:14 +0300
    Date: Sat, 12 Jan 2013 20:55:14 +0300
    From: “[email protected]
    Subject: Testing

    i think the error is that [email protected] is the sender of the email, i don’t know how to change it.
    can you help me?

  • Linus

    Steve, first thank you very much for your nice tutorial.
    Basically I think my setup is runnig, but I’m experiencing problems with the DNS record. While doing the

    cat /etc/opendkim/keys/

    I receive the output as follows:

    default._domainkey IN TXT “v=DKIM1;=rsa; p=MIGfMA0G

    Since my messages do not appear as signed somewhere else and tells me “This is not a good DKIM key record”, I strongly believe something is going wrong. Unfortunately I have no clue what this could be, everything has been done as provided by you.

    Thanks a lot in advance!

    • A Reader

      you are missing the K in k=rsa

      see comment above by Oscar

  • Hi,

    I have written a small script to try to automate this process in the case where we have a certain amount of domains hosted.


    (scripted edited out of comment and transferred to Gist)

    • Thanks, Almir! I’m sure this will come in useful for admins with lots of domains. I’ll mention it in the main article.

  • Pingback: DKIM with Postfix on CentOS 6 | Rapid Cognition()

  • agismaniax

    I followed these steps carrefully, but in the end I always get DKIM fail.

    Summary of Results
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: fail
    Sender-ID check: pass
    SpamAssassin check: ham

    Authentication System: DomainKeys Identified Mail (DKIM)
    Result: DKIM signature confirmed BAD
    Description: Unrecoverable error during processing; signature data cannot be verified
    Reporting host:
    More information:
    Sendmail milter:

    I’m using CentOS 6.3 (x64), Postfix 2.6.6 and MailScanner 4.84.5.
    Could you help me?

  • Pingback: Instalar opendkim en Fedora e integrarlo con postfix | Hello, IT.()

  • Pingback: DKIM: "message may have been tampered with or corrupted"()

  • tam

    opendkim install, but when i receive mail, maillog error:
    May 26 20:26:35 mail postfix/smtpd[14790]: warning: unreasonable macro call nesting: “inet: = ”
    May 26 20:26:35 mail postfix/smtpd[14790]: warning: unreasonable macro call nesting: “smtpd_milters”
    May 26 20:26:35 mail postfix/smtpd[14790]: fatal: dictionary mail_dict: macro processing error
    May 26 20:26:36 mail postfix/master[14774]: warning: process /usr/libexec/postfix/smtpd pid 14790 exit status 1
    May 26 20:26:36 mail postfix/master[14774]: warning: /usr/libexec/postfix/smtpd: bad command startup — throttling

  • Carlos

    Hi Steve,
    hopefully you are giving still support here, I got following error messages in maillog:

    Can’t load key from /etc/opendkim/keys/ Permission denied
    hostname opendkim[1319]: 5C4A1600F0: error loading key ‘’

    Actually no emails are sent, did already chmod 700 to the default.private file. If using chown, to what I should set the permissions?

    Best regards,

    • The private key should be permissions 600 (not 700) and owned by the opendkim user. Try:

      chown -R opendkim:opendkim /etc/opendkim/keys/


      chmod 600 /etc/opendkim/keys/*

  • Carlos

    Hi Steve, what should I say… thank you, thank you very
    much, for this great blog post and for giving support! It works
    fine now! Have a nice weekend! Carlos

  • Hello, Congratulations for the tutorial on opendkim. Excuse
    my English, but I’m french and that message is translated with
    google translation. My dedicated server with 1 & 1 with
    Centos 5.9, Postfix 2.8.4 and Plesk 11.0.9. My opendkim is probably
    not installed because when I type in Putty “Service opendkim start”
    I have the answer. ” Starting OpenDKIM Milter: opendkim:
    /etc/opendkim.conf: configuration error at line 20: illegal value”
    I also have an error “`opendkim:opendkim’: invalid user ” If I give
    you private and the root password of my SSH access, you can watch
    on my server where the problem is? friendly greetings Charley

  • Pingback: 安装postfix, dkim, spf在ubuntu,建立可靠的本地邮件服务器 | 联网麻将()

  • Leon

    Hi Steve,

    Thanks for you post it was really helpfull in getting the opendkim to work.
    I had one problem that i couldnt find here that maybe of help to someone debuging their config.
    Make sure there are no spaces at the end of the lines in the KeyTable
    Spaces will not be stripped when dkim parses the line and therefore your keyfile will not be found.


  • Leon

    Hi Steve,

    I have a double signing problem using postfix and opendkim:
    From the command line mails are signed once and are tested ok by Google, port25 and elandsys. Sofar all is cool.
    But when I mail from Interspire messages get signed twice.

    Is there a way to send mail for signing using the ?
    This could give us a way to only loop once through the opendkim signing process.



  • Alejo

    Hi Steve, thanks very much, this thing works in the first try (Centos 5.8),
    my only question is …can have my dns zone (/var/named/) have many signatures ?
    or is only one per domian ?

  • vinit

    Hi ,
    I have newly installed opendkim on centos 6.4 and i found your article very helpfull but still my mail are not getting signed please help me.

  • maryan

    more than 2 yrs old but still works like charm.

    thanks man. 🙂

    • Thanks, Maryan. I come back through and follow this procedure myself every time I update the Fedora/EPEL package, so I try to keep it up to date. 🙂

  • Zot ter

    Just wanted to say “Thanks!”

    Used the RPM method (EPEL repo) to install OpenDKIM and configure it on a CentOS 6.5 box using postfix.

    Worked first try with no issues at all. Well done on the how to!!


  • zlaja

    I’m getting error while loading key, even though ower is opendkim and permisions are 600.
    This is output of /var/log/maillog

    Feb 12 08:20:10 opendkim[2947]: key data is not secure: / can be read or written by other users
    Feb 12 08:20:10 opendkim[2947]: 9C3ED5A008F: error loading key ‘’
    Feb 12 08:20:10 postfix/cleanup[5718]: 9C3ED5A008F: milter-reject: END-OF-MESSAGE from localhost[]: 4.7.1 Service unavailable – try again later; from= to=

  • Jon

    Great Article Steve. Many thanks.

    I “think” most of it worked but I am having an issue with the mail client rejecting (5.3.1) the relay.

    I am wondering if its something to do with postfix/ edits. I’m running Centos 6.

    Any ideas? or where to start?

  • Frickin’ Brilliant!

    I’ve needed to add DKIM to my email server for ages but references from Microsoft, Google, Yahoo etc give such convoluted garbage about how to install.

    I followed these instructions easily and everything worked the first time it was enabled. Brilliant authorship.


  • Thank you for your walkthrough 😉

  • Hi I Follow all the steps here and I see that OpenDKIM (with sendmail) is running ’cause I verify the message on maillog but when I send email from server using mail command for example to brandon check web it’s telling me that there is “does not contain a DKIM Signature”, I also verify the etc/opendkim.conf and I ussing sv and refile: insted of file: but I still getting any signature.

  • Lou


    thanks for this.

    Worked like charm.

  • soyguille

    Thanks a lot !!

    Working on a Centos 6.4 cloud server hosted in OVH , Parallels Plesk Panel 11.5 doesn’t support, neither 12.x and DKMI must be set manually

    I have been searching for a long time for a set by step guide for newbees like me and finally I got it working.

    It is and old guide, but it is useful now.

  • drkilra

    Your awesome man, thanks so much for a great tutorial.

    For me I found that using postconf -e to input the postfix lines worked vs editing the

  • Alan

    Any ETA for opendkim for Centos 7? There is no rpm in epel and the source will not compile.

    • Been working on it today, and having trouble due to the fact that there’s no libbsd available on CentOS 7 yet (I bet the packager is working on it… just like I’m scrambling to try and get OpenDKIM running on it).

      If you follow my Twitter feed, I announce when I put new builds in the repos. Working with the OpenDKIM dev team now to figure out a workaround for the strlcat issue.

  • ted

    Great help Steve -many thanks. Just one comment (applicable to many people not targeted at you) PLEASE stop using mail lists and use a forum for support.

    I’m struggling a bit with the public key right now – the default.txt file has extra stuff in it I dont think needs to go in the DNS TXT section
    the brackets and “IN TXT” and a couple of extra quotes – once it propogates I can try again – I doubt I could have done this without your help though so thanks again.


    • Hi, Ted. I’m not the developer of OpenDKIM. I’m merely the maintainer of the Fedora/RHEL/CentOS version of the package. I also prefer forums for support, because it allows for better archiving of topics that many will likely encounter. You can make your suggestion to the developer of OpenDKIM at

  • Ted

    Hi Steve –
    I will make the suggestion as you say to opendkim
    Just an FYI – my dkim worked fine after the propogation – what threw me was the phrase “paste the entire contents of the default.txt file”
    By the time I got that far I was following your instructions word for word with my brain in idle!

    All I have to do now is find out why my mail is still not being forwarded to googles customers … If you (or anyone) knows a google list of requrements I’d love to get a link – my site/domain is perfectly clean and their relay accepts the mail then seems to just drop it.
    I’m running out of ideas and they refuse to respond to requests for info.

    Again – thanks.

  • Hi Steve, I just finished my italian guide on OpenDKIM via EPEL on CentOS 7: . It’s based on my experience setting up DKIM for the same site. Credit to you and a linkback to this article is near the bottom of mine. Thanks again for your excellent work!

  • Hi Steve, I tried to install opendkim with yum on Centos 6.5 but get the error:
    –> Processing Dependency: for package:
    –> Finished Dependency Resolution
    Error: Package: unbound-libs-1.4.21-1.el6.x86_64 (epel)
    Available: libevent-1.4.13-4.el6.x86_64 (base)
    Installed: libevent-2.0.12-1.rhel6.x86_64 (installed)
    Not found
    Do you know a way to solve this?


  • AV

    If you see no logging of the opendkim in the logfile other then staring and stopping and you have set the “logwhy” it could be due to amavisd-new. My amavisd install had the $enable_dkim_verification and $enable_dkim_signing set to 1 by default.

    Setting this to 0 (disabled) made the logging work and the signing aswell.

  • Charles Steiner

    Thanks for the post & package, Steve. It made DKIM a breeze.

    About ADSP, do you still recommend it?

    IETF has changed the status to historic:

    • Nope – I actually don’t recommend it anymore. Probably time for me to edit this post. 🙂 Thanks!

  • Pingback: How to install roundcube with nginx, postfix, and dovecot()

  • I got to the point of

    cat /etc/opendkim/keys/
    default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
    “p=MIGfMA0GC…QAB” ); —-

    So I put

    v=DKIM1; k=rsa; p=MIGfMA0GC…QAB

    in as my TXT record. The Brandon Checketts site show that this is coming back exactly as I put it in.

    It is not working. I notice there is no ‘g=*;’ in the above. Is that needed? Did I miss a step?


    • Hi, John. The g=* actually isn’t needed any more, so that shouldn’t be causing the problem.

  • rishiv

    Hi Steve ,

    please help me i have configured open dkim but faced some problrm like

    dkim=temperror (no key for signature) [email protected]

    so how can resolve it ,

    • Mr Jim

      Hi rishiv, I also ran into this error. See my comment above on how I solved it.

  • Can you please help with the following error –

    dkim=fail reason=”signature verification failed” (1024-bit key) [email protected] header.b=KgH3gtpd;

    Thanks in advance, Kenneth

  • Pingback: Installing OpenDMARC RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora) - Steve Jenkins' Blog()

  • Thank you for this, I run my own mail server on CentOS 7 and while I am not aware of anyone forging mails coming from my domain, my interest was peaked in this when I started reading about applications of DNSSEC which is of huge interest to me.

    I was fairly quickly able to get it up and running and passing the various diagnostic resources, but I do have a question – what is considered best practice for key rollovers? I assume that just like most things where there are public / private key pairs, there should be a maintenance aspect where the keys are changed from time to time. Is there an established protocol for going about this?

    • Hi, Alice. There’s no established protocol for when to do it, so change them out as often as you like. Keep in mind, however, that DNS cacheing issues could cause failures if you change your public key and a remote mail server doesn’t have the current version. Because of this, I don’t recommend doing it often… if at all. Just use good security measures to protect your private key.

      If you want to get better insight as to whether someone is forging mail from your domain(s), set up DMARC for your domain (loosely, cuz it still breaks mailing lists if screwed down too tight). And if you want to add DMARC checking to your mail server, I recommend using OpenDMARC (from the same group that develops OpenDKIM):

      • Thanks! I definitely am going to look at OpenDKIM. I set my server up using what I think to be reasonable defaults – – I do use some mail lists, I prefer them to IRC or other support means many use. But it looks like OpenDKIM might help with the increasing amount of spam I am getting.

        running e-mail servers is not my cup of tea, I only run my own because I really do not relish the thought of others scanning my e-mail, the potential for abuse is too great, but sometimes spam is so bad I pull my hair out. If OpenDKIM can help with that I’m definitely going to try it.

  • Hi Steve,
    found your blog, maybe you could help me out. As of version 2.10.0 Fix bug #183: Discontinue support for ADSP. This removes the SenderHeaders and others.

    I used to run my opendkim configuration with
    SenderHeaders Sender,From

    I rely on signing Sender header when I need to send ON BEHALF (via for some of my clients.

    Maybe you know how to achieve this in newest version? I tried a lot of options but yet didn’t find one which works.

    • Hi – I posted this question on the OpenDKIM developer’s email list and hopefully this reply will help:

      • Thanks Steve for your time and help!
        Maybe it’s a dumb question, but how do I reply to that email list and subject?

        Anyhow here goes my reply:

        That sounds promising, I could even work with passing a milter macro value
        submission_4_foo inet n – y – 5 smtpd
        -o milter_macro_v=sign_all_as_foo

        Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line X: unrecognized parameter

        Line in opendkim.conf
        SenderMacro v

        $ yum list installed | grep opendkim
        opendkim.x86_64 2.10.1-12.el6 @epel-testing

        $ yumdownloader –source opendkim
        $ rpm2cpio opendkim-2.10.1-2.el6.src.rpm | cpio -i opendkim.spec

        $ cat opendkim.spec
        %configure –with-db

        Oh no, I so don’t want to go into compile it yourself teritory on prod machines…

        I guess SenderMacro is experimental and also could be removed whenever they want and break my configuration again in future releases ?


  • Hi!

    I can’t find anything useful on the internet, my question is:
    Does OpenDKIM cache SigningTable maps when configuration is stored in MySQL database?

    Then new entries in the database are seen after opendkim reload is started, or it is reloaded after some time, can this time be controlled in config file?

    I asked this because I have a setup like this and I see quite a lot of SELECTs being issued against the database.

    So if MTA has to process thousands of emails, then database will be satured with quite a lot of SELECTs and I am looking if these can be cached for some time in any way, my configuration (new entries or updates) does not happen so often ( I guess for most of OpenDKIM users too ).

    SigningTable dsn:mysql://user:[email protected]/database/table=domainkeys?keycol=domain?datacol=id

    SELECT id FROM domainkeys WHERE domain = ‘[email protected]

  • Steve thanks for your help once again! 🙂 Maybe I have too many questions or weird ones but you were a great help, because your blog was the easiest way for me to discuss and ask questions, and get some answers! 🙂 Hopefully other guys on the planet will have similar questions/use cases and will find some answers/directions here. More traffic for your blog! 🙂

    Making progress here 🙂 One of opendkim developers MSK replied to me there is already caching mechanism with LDAP and could be ported/implemented for MySQL database like queries too, so he urged me to make a feature request on sourceforge opendkim to make it happen in feature release.

    So I posted my ideas here

    • Awesome. MSK = Murray, who is the MAIN developer behind OpenDKIM (and OpenDMARC). He’s a great guy (and also a friend of mine outside the geek world) and is great about implementing product ideas. He’s not the type of guy who would suggest such a request if he wasn’t serious about implementing it. Nice job. 🙂

  • Thanks big time for this post! In the middle of building our own email solution so we don’t have to pay mailchimp or others to send email for us. This tutorial was perfect.

  • votdfak

    Thanks Steve! Little bit of trouble with DKIM DNS record, because of cPanel and copy/paste, but all sorted.

  • Louis Delo

    I have a quick question. –

    I have SMTP servers which will be handling both mail that I will be signing, and for mail I will not be signing. If an smtp object goes to the openDKIM milter but there’s no associated key for signing, does this mail still successfully send?

  • Whitaker Brand

    +1000 for awesome, detailed post with great error and versioning checks.

  • Ben Parrish

    Hi, one question I have is how can I specify the key strength when generating the public and private keys?

  • Ben Parrish

    Scratch my last question about signing for 2048 bits. I actually have a different question.. How can I set different options like creation time (t flag I believe) in the opendkim.conf file?

  • HI, Felix. You can run yum right over the top no problem. 🙂

    • Felix

      Thanks Steve, went ahead and did this, and it worked. My maillog briefly when insane, like 450MB+ in 30 seconds insane right after, but the `killall opendkim` and `service opendkim restart` fixed that. Cheers.

      • Awesome. Yes, running two versions will certainly fill up your maillog, especially with auto-restart enabled. 🙂 Glad to her you’re up and running! I actually pushed an updated version of the package to the testing repos recently (with OpenLDAP support compiled in), so watch for an available update via yum or dnf coming soon.

  • Great to hear!

  • Glad it helped. 🙂

  • Home Cam

    Just wanted to thank you for writing this. Tried another tutorial for opendkim and sendmail but it was pretty bad.

  • Alexander Ryskin

    Hi Steve,

    as pretty much everybody on this list I am grateful for your excellent work. With your instructions, installation and initial setup were quite easy and painless but I do have a problem. I use Brandon Checkett’s Email Validator (which is now DKIMvalidator at, you should probably update your reference) and here is what I found:

    When I send a test message from a Centos 6 mail server that hosts a DKIM-signing sendmail process to the Validator using mailx, it fails with the “message modified” error message. When I send exactly the same test message using sendmail directly the result is “pass”. My understanding is that in the first case information flows like this:

    mailx —–> STDIN sendmail (MSP) ——– > SMTP sendmail (MTA) -> Validator

    and in the second case like this:

    STDIN sendmail (MSP) ——– > SMTP sendmail (MTA) -> Validator

    With signing taking at the second sendmail invocation, how can mailx screw up the signature?
    Obviously I am missing something here.

    Thank you again,