What is DomainKeys (DKIM) ?


"DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam"[^1]

How Does DKIM work?

"When we configured DKIM on sending servers. First we generated a public/private key pair for signing outgoing messages. Public key is configured as TXT record on domains name server, and the private key is configured in outbound email server. When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal" [^2]

I will be showing you how to integrate DKIM on Postfix.

Setup:

$ yum install opendkim -y

Configure OpenDKIM:

From your configuration /etc/opendkim.conf verify that the following values are enabled:

Mode	sv
Syslog	yes
SyslogSuccess	yes
LogWhy	yes
UserID	opendkim:opendkim
Socket	inet:[email protected]
Umask	002
SendReports	yes
SoftwareHeader	yes
Canonicalization	relaxed/relaxed
Selector	default
MinimumKeyBits	1024
KeyFile	/etc/opendkim/keys/default.private

KeyTable	/etc/opendkim/KeyTable
SigningTable	refile:/etc/opendkim/SigningTable
InternalHosts	refile:/etc/opendkim/TrustedHosts

Configure Postfix:

Edit your postifx configuration (/etc/postfix/main.cf) and append the following values:

# DKIM
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept
``` <p>

**Setup and Prepare your First Domain:**

```language-bash
$ opendkim-default-keygen
Generating default DKIM keys: 
Default DKIM keys for sysadmins.co.za created in /etc/opendkim/keys.

$ mkdir -p /etc/opendkim/keys/sysadmins.co.za
$ chown -R opendkim:opendkim /etc/opendkim/keys/sysadmins.co.za
$ cd /etc/opendkim/keys/sysadmins.co.za

$ opendkim-genkey -r -d sysadmins.co.za -s default
$ echo "default._domainkey.sysadmins.co.za sysadmins.co.za:default:/etc/opendkim/keys/sysadmins.co.za/default.private" >> /etc/opendkim/KeyTable

$ echo "*@sysadmins.co.za default._domainkey.sysadmins.co.za" >> /etc/opendkim/SigningTable

``` <p>

**Update your DNS:**

Add a TXT Record on your Domain, the content can be retrieved from:

```language-bash
$ cat default.txt 
default._domainkey	IN	TXT	( "v=DKIM1; k=rsa; s=email; " "p=MIGfMA0GCSqGS..." )  ; ----- DKIM key default for sysadmins.co.za

``` <p>

**Restart OpenDKIM and Postfix:**

```language-bash
$ service opendkim restart
$ service postfix restart
``` <p>

**Verify that your setup is working:**

```language-bash
$ echo "DKIM Test" | mail -r [email protected] -s "DKIM Testing" [email protected] && tail -f /var/log/maillog
``` <p>

You should see something more or less like:

`DKIM-Signature field added (s=default, d=sysadmins.co.za)`

Now everything should be up and running.

###### Coming Soon:

* Implementation of SPF
* PolicyD
* Greylisting
* TLS

References:

[^1]: wikipedia.org
[^2]: tecadmin.net