What is DomainKeys (DKIM) ?
"DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam"[^1]
How Does DKIM work?
"When we configured DKIM on sending servers. First we generated a public/private key pair for signing outgoing messages. Public key is configured as TXT record on domains name server, and the private key is configured in outbound email server. When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal" [^2]
I will be showing you how to integrate DKIM on Postfix.
$ yum install opendkim -y
From your configuration
/etc/opendkim.conf verify that the following values are enabled:
Mode sv Syslog yes SyslogSuccess yes LogWhy yes UserID opendkim:opendkim Socket inet:[email protected] Umask 002 SendReports yes SoftwareHeader yes Canonicalization relaxed/relaxed Selector default MinimumKeyBits 1024 KeyFile /etc/opendkim/keys/default.private KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable InternalHosts refile:/etc/opendkim/TrustedHosts
Edit your postifx configuration (
/etc/postfix/main.cf) and append the following values:
# DKIM smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 milter_default_action = accept ``` <p> **Setup and Prepare your First Domain:** ```language-bash $ opendkim-default-keygen Generating default DKIM keys: Default DKIM keys for sysadmins.co.za created in /etc/opendkim/keys. $ mkdir -p /etc/opendkim/keys/sysadmins.co.za $ chown -R opendkim:opendkim /etc/opendkim/keys/sysadmins.co.za $ cd /etc/opendkim/keys/sysadmins.co.za $ opendkim-genkey -r -d sysadmins.co.za -s default $ echo "default._domainkey.sysadmins.co.za sysadmins.co.za:default:/etc/opendkim/keys/sysadmins.co.za/default.private" >> /etc/opendkim/KeyTable $ echo "*@sysadmins.co.za default._domainkey.sysadmins.co.za" >> /etc/opendkim/SigningTable ``` <p> **Update your DNS:** Add a TXT Record on your Domain, the content can be retrieved from: ```language-bash $ cat default.txt default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIGfMA0GCSqGS..." ) ; ----- DKIM key default for sysadmins.co.za ``` <p> **Restart OpenDKIM and Postfix:** ```language-bash $ service opendkim restart $ service postfix restart ``` <p> **Verify that your setup is working:** ```language-bash $ echo "DKIM Test" | mail -r [email protected] -s "DKIM Testing" [email protected] && tail -f /var/log/maillog ``` <p> You should see something more or less like: `DKIM-Signature field added (s=default, d=sysadmins.co.za)` Now everything should be up and running. ###### Coming Soon: * Implementation of SPF * PolicyD * Greylisting * TLS References: [^1]: wikipedia.org [^2]: tecadmin.net