1.7 KB


Generate and maintain DKIM-keys for domains on your setup. This setup relies on the same structure as for dnssec-signer

Configuration and installation

Please see the dnssec-signer-tool, as this is very similar.

This is a basic configuration that can easily be adapted to suit a standard setup

Configuration files

Please read them carefully, and read up on OpenDKIM before you continue, so you understand whats going on. This isn't a tutorial.

FILE: /etc/opendkim.conf

# Comments remove, read file you got when installing opendkim

# Log to syslog
Syslog			yes
# For debugging purpose
# LogWhy			true

UMask			002
UserID			opendkim

# Map domains in From addresses to keys used to sign messages
SigningTable		refile:/etc/opendkim/signing.table
KeyTable 		/etc/opendkim/key.table

# Host to ignore when verifying signatures
ExternalIgnoreList	/etc/opendkim/trusted.hosts
InternalHosts		/etc/opendkim/trusted.hosts

# Commonly-used options;
Canonicalization	relaxed/simple
Mode			sv
SubDomains		yes

AutoRestart		yes
AutoRestartRate		10/1M
Background		yes

DNSTimeout		5
SignatureAlgorithm	rsa-sha256

OversignHeaders		From

FILE: /etc/opendkim/signing.table

*@domain.tld		domain.tld
*@domain2.tld		domain2.tld

FILE: /etc/opendkim/key.table

domain.tld 		domain.tld:DDMMYY:/etc/opendkim/keys/domain.tld/DDMMYY.private
domain2.tld		domain2.tld:DDMMYY:/etc/opendkim/keys/domain2.tld/DDMMYY.private

FILE: /etc/opendkim/trusted.hosts

Possibly add more domains here, if you are sending through multiple hosts. For my case, every domain sends through mail.domain.tld.