In this article we will walk you through the steps of installing and configuring dkim with OpenDKIM and Exim on a CentOS 7 SSD VPS.
You should have a working mail server setup with Exim before proceeding with this tutorial. Check our guide on how to set-up a mail server with Exim and Dovecot on a CentOS 7 VPS if you don’t have setup a mail server yet.
What is OpenDKIM?
OpenDKIM is an open source implementation of the DKIM (Domain Keys Identified Mail) sender authentication system which is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. A digital signature included with the message can be validated by the recipient using the signer’s public key published in the DNS.
UPDATE THE SYSTEM
Before you start with the installation of OpenDKIM, ssh
to your server and initiate a screen
session using the command below:
## screen -U -S exim-opendkim
once you’re in a screen
session, update your CentOS 7 VPS using yum
as in:
## yum update
INSTALL SOME PACKAGES
## yum install curl wget vim openssl man
ENABLE EPEL REPOSITORY
OpenDKIM is available in the EPEL (Extra Packages for Enterprise Linux) repositry, so let’s enable EPEL repository on the CentOS VPS using:
## yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
if you get a 404 not found, go at https://dl.fedoraproject.org/pub/epel/ and install the latest epel-release
rpm package available.
next, check if EPEL has been enabled on your system using:
## yum repolist
INSTALL OPENDKIM
Once EPEL has been enabled on your linux server, install OpenDKIM using the command below:
## yum install opendkim
and proceed with configuring it by renaming its default configuration to something like /etc/opendkim.conf.orig
and adding the following to /etc/opendkim.conf
## mv /etc/opendkim.conf{,.orig} ## vim /etc/opendkim.conf
AutoRestart Yes AutoRestartRate 10/1h LogWhy Yes Syslog Yes SyslogSuccess Yes Mode sv Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable SignatureAlgorithm rsa-sha256 Socket inet:8891@localhost PidFile /var/run/opendkim/opendkim.pid UMask 022 UserID opendkim:opendkim TemporaryDirectory /var/tmp
To learn more about opendkim.conf
you can check man opendkim.conf
.
SET-UP DKIM PUBLIC/PRIVATE KEYS
Now generate a set of keys for your mydomain.com
domain name using the commands below:
## mkdir /etc/opendkim/keys/mydomain.com ## opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default ## chown -R opendkim: /etc/opendkim/keys/mydomain.com ## mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default
once the keys are generated, add mydomain.com
to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default
next, edit /etc/opendkim/SigningTable
and add the following record to OpenDKIM’s signing table:
*@mydomain.com default._domainkey.mydomain.com
and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts
:
127.0.0.1 mydomain.com host.mydomain.com
assuming the domain in question is ‘mydomain.com’ and server’s hostname is set to ‘host.mydomain.com’
finally, edit your mydomain.com
DNS zone and add the TXT record from /etc/opendkim/keys/mydomain.com/default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" ) ; ----- DKIM key default for mydomain.com
you can verify if your dkim TXT record is valid using dig
for example:
## dig +short default._domainkey.mydomain.com TXT "v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"
CONFIGURE EXIM
Now set-up Exim to use OpenDKIM for signing the emails by editing /etc/exim/exim.conf
and adding the following to the remote_smtp
transport:
remote_smtp: driver = smtp dkim_domain = $sender_address_domain dkim_selector = default dkim_private_key = ${if exists{/etc/opendkim/keys/$sender_address_domain/default}{/etc/opendkim/keys/$sender_address_domain/default}{0}} dkim_canon = relaxed dkim_strict = 0
restart Exim and Opendkim for the changes to take effect using:
## systemctl restart exim ## systemctl status exim ## systemctl restart opendkim ## systemctl status opendkim ## systemctl enable opendkim
LET US DO THIS FOR YOU?
Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to install and configure OpenDKIM with Exim. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.
I have done the above but exam says it can not read the private key file from /etc/opendkim/keys/domainname/default.
Could it be that the permissions are wrong?
Please post the output from: `ls -l /etc/opendkim/keys/domainname`
the key files are by default owned by root without reading privileges for other users (chmod 600).
if exim is not running as root, it cannot read those files. so you might need to adjust the files permissions.
e.g. by doing
chmod g+r /etc/opendkim/keys/domainname/*
chgrp Debian-exim /etc/opendkim/keys/domainname/*
I am using mailgun and i am not able to verify the DKIM as they are providing the different DKIM hostname.
mailo._domainkey.msg.domain.com
we are not able to verify this. I have verified the spf but DKIM creating problem.
Can you tell me why i am having this problem.
Please refer to their documentation at http://mailgun-documentation.readthedocs.io/en/latest/quickstart-sending.html#send-via-smtp about this.
Thanks.
I have done all the steps properly on centos 7 but still dkim signature is not added in mail header
Please check your mail server logs for errors.
I am not getting any errors