Document toolboxDocument toolbox

(2022.1) Configuring Sendmail with DKIM

Owned by Marty Goodrich
Sept 27, 2022
1 min read

Ubuntu 20.04

sudo apt-get install opendkim opendkim-tools

# must enter the customer's host name
opendkim-genkey -t -s default -d customer.domain.edu

# add pcr360 as a subdomain
vi default.txt
# edit this line to, then save and close
default._domainkey.pcr360

#copy the private key
sudo mkdir /etc/opendkim
sudo cp default.private /etc/opendkim

#edit the DKIM configs
vi /etc/opendkim.conf
# uncomment and edit the following lines
# must enter the customer's host name
Domain                  customer.domain.edu
KeyFile                 /etc/opendkim/default.private
Selector                default

vi /etc/default/opendkim
# comment out the current socket line and add this
SOCKET=inet:8891@127.0.0.1

# start the dkim service
sudo service opendkim start

# edit the sendmail config
vi /etc/mail/sendmail.mc
# add the end of the file
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@127.0.0.1')dnl

# become root
sudo su
#  rebuild the sendmail config
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

sudo service sendmail restart


Checking everything works

From server logs

By default OpenDKIM logs to the syslog, so you can tail the log to see if signing is successful using:

sudo tail -f /var/log/syslog | grep -i dkim

You should see something like this example taken from one of the web servers that host this blog:

Mar 16 09:25:02 web2 sm-mta[7705]: u2G9P2Dp007705: Milter insert (1): header: DKIM-Signature:  v=1; a=rsa-sha256; c=simple/simple; d=web2.lon.codacity.net;\n\ts=linode; t=1458120302;\n\tbh=C8sxHQz0QeFsCiNzhPYF8u2GVHRax8cSsYISckkpuEk=;\n\th=Date:From:Subject:To:From;\n\tb=ymr4SQ67DqXBMkVPPfjTJUEWBPFpO4jix7oZXsranp6MQrzcXg8ysbwkL0+6VdcqA\n\t DrzTrz3O6SfVh9Aok6H+tGcPIb9jMGTn1ceLlAZhy18O5qmjkZOTHr2MWtKeaf1u2M\n\t FfBBOID4M9vef7FZBJaUa0j+Zg9LarLaYW518TEo=

From your mail client

View the source of an email sent from your server and look for the Authentication-Results header. It should contain dkim=pass if everything is working. There is also a DKIM-Signature header which contains the signing data.