Setting up an outbound DKIM provider

tested on netbsd and slackware

this one pissed me off because of unix permissions on the unix socket — one could also discard DKIM and only rely on SPF — it was finally solved using umask 0007 and adding postfix to the opendkim group — oops it should be the inverse, adding opendkim to the postfix group


See dkim-install.

Da key pair

the selector can be anything, it is just a marker e.g. use month/year to remind yourself how old the key pair will become (and eventually renew it once a year or so)

MONTHYEAR=`date +%b%Y | tr A-Z a-z`
mkdir -p ~/certs/dkim/
cd ~/certs/dkim/
opendkim-genkey -h
opendkim-genkey --selector=$MONTHYEAR
ls -lF $MONTHYEAR.private $MONTHYEAR.txt
cat $MONTHYEAR.txt

Da DNS record

add this record to your zone and check

host -t txt $


note the UID vs GID difference here

#vi /usr/pkg/etc/opendkim.conf
vi /etc/opendkim.conf

KeyFile                 /root/certs/dkim/MONTHYEAR.private
Selector                MONTHYEAR
Socket                  local:/var/opendkim/dkim-socket
Syslog                  Yes
UMask                   0007
UserID                  opendkim:postfix
PidFile                 /var/opendkim/
Mode            sv
#SignatureAlgorithm rsa-sha256
SignatureAlgorithm rsa-sha1
AllowSHA1Only       Yes

fix that folder permissions so the socket gets shared AND BECOMES WRITABLE BY POSTFIX

usermod -aG postfix opendkim

#exists on Slackware after install from source
#mkdir /var/opendkim/


chmod 770 /var/opendkim/
chown -R opendkim:postfix /var/opendkim/

Ready to go

make sure the user and group exist

ls -lhF /usr/local/sbin/opendkim
opendkim -V
ls -alF /var/opendkim/
grep postfix /etc/group
grep dkim /etc/group
grep dkim /etc/passwd

start & enable

vi /etc/rc.local

echo -n opendkim...
/usr/local/sbin/opendkim -x /etc/opendkim.conf && echo done || echo FAIL
#-P -l -u


ps auxww | grep dkim
cat /var/opendkim/
#ls -alF /var/db/opendkim/
ls -alF /var/opendkim/


pkill opendkim


See the DKIM section from the Postfix guide.



Now send a mail an MUA. For some reason, it does not even try to DKIM here when trying to send it locally.

#date | mail -s `uname -n` root

then watch the logs and look for DKIM-Signature header in the resulting message’s source.


TODO - try to check if wrongly signed incoming messages are refused


compilation time issues

#39 Impossible to install OpenDkim : milter not found

#9 ./configure –without-milter –disable-filter doesn’t work

OpenSSL missing during ./configure. How to fix?

shared object

ld: /usr/local/ssl/lib/libcrypto.a(ecp_mont.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC

==> --disable-shared

unix socket perms

postfix/cleanup[15894]: warning: connect to Milter service unix:/var/opendkim/dkim-socket: Permission denied

==> several issues need to be considered but in short, postfix needs write access to the socket

Postfix - Opendkim - Unable to connect to local socket

postfix/smtpd: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

oh and the other way around, when opendkim got added to postfix group

postfix/sasl/smtpd[1809]: warning: connect to Milter service unix:/var/opendkim/dkim-socket: Permission denied

==> 770 / 660



DomainKeys Identified Mail (DKIM)



Postfix before-queue Milter support

Postfix Configuration Parameters

Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7

Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2

Configure SPF and DKIM With Postfix on Debian 8

Part 4: How to Set up SPF and DKIM with Postfix on Ubuntu Server

5 common mistakes to avoid when deploying DMARC


Chapter 56 - Support for DKIM (DomainKeys Identified Mail)

Mail-DKIM and DKIMproxy