Linux Postfix-How to Add OpenDKIM to DNS

In order to successfully add OpenDKIM to DNS on Linux, you need to understand some basic terms and tips.

3 Must-Know-Terms To Add DKIM to DNS

• The Basic terms in Email authentication, DNS records, and other related concepts.
• DMARC and the Email authentication process.
• Anatomy of a DMARC Resource record in the DNS.

After building a magic setup script coupled with an open-source software bundle that enables a smooth encounter at transforming a server into a problem solver for emails with multiple domains, the following steps when strictly adhered aid in achieving the intended outcome we crave for.

You can download our magic script from here.

Setup and configure OpenDKIM for multiple domains with Postfix on Linux with the script

#!/bin/bash


if [[ "$1" != "INSTALL" ]]
then
echo "Note: please run from root user"
echo "This script will generate keys for domain and install openDkim postfix on this host"
echo "to process please use $0 INSTALL"
exit
fi

echo -n 'Enter Domain name : '
read domain_global

echo 'Specifies the selector, or name, of the key pair generated'
echo -n 'Enter group name/DNS (node|mail) : '
read group_name

echo Install opendkim and posfix

apt-get install -y opendkim opendkim-tools postfix mailutils
mkdir -p /etc/opendkim/${domain_global} &>/dev/null

echo ______________________________________________________________________________________

echo "Generate key for ${domain_global}:${group_name}"
opendkim-genkey -D /etc/opendkim/${domain_global} -d $domain_global -s $group_name

echo ______________________________________________________________________________________

echo 'Update keytable file'
echo "${group_name}._domainkey.${domain_global} ${domain_global}:${group_name}:/etc/opendkim/${domain_global}/${group_name}.private" >> /etc/opendkim/keytable

echo ______________________________________________________________________________________

echo 'Update signingtable file' 
echo ${domain_global} ${group_name}._domainkey.${domain_global} >> /etc/opendkim/signingtable

echo ______________________________________________________________________________________

echo Configure OpenDKIM
echo 'SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"' > /etc/default/opendkim
mkdir -p /var/spool/postfix/var/run/opendkim &>/dev/null

cat > /etc/opendkim.conf  <<EOF
Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes
UMask                   002
SoftwareHeader          yes
OversignHeaders         From
Canonicalization        relaxed/relaxed
KeyTable                file:/etc/opendkim/keytable
SigningTable            file:/etc/opendkim/signingtable
EOF

echo ______________________________________________________________________________________

echo 'Configure postfix '
postconf -e milter_default_action=accept
postconf -e milter_protocol=2
postconf -e smtpd_milters=unix:/var/run/opendkim/opendkim.sock
postconf -e non_smtpd_milters=unix:/var/run/opendkim/opendkim.sock

Download and rename the TXT file to an executable bash script.

Let’s go step by step with our installation script lines

You will need to run the script from the root user, the script will generate keys for a domain and install OpenDkim, Postfix on the host.
Enter a domain name, specify the selector after the script will generate appropriate configurations.
After the successful installation, you will need to add very important DNS records for your domain.

We shall now examine each of the email authentication concepts one after the other.

Sender Policy Framework (SPF)

This is a simple email-validation system that detects email spoofing by providing a mechanism that allows receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators.
This can be achieved via configuring your SPF record with our**SPF wizard.**

Under the SPF, messages that do not come directly from the return-paths designated outbound servers we consider as forged. This semantic is compatible with existing practices, with two exceptions; web-generated email and verbatim forwarding. Those two cases should implement SRS for best results.

DomainKeys Identified Mail (DKIM)

DKIM – DomainKeys Identified Mail (DKIM) is a protocol that permits a person, role, or organization that possesses ownership of signing domain to claim some responsibility for a message via associating the domain with the message. This is an important authentication mechanism to help protect both email receivers and email senders from forged and phishing emails. Forged email is a serious threat to all parties in an email exchange. Our wizard for DKIM configuration and checks is here.

Anatomy of a DMARC Resource Record in the DNS

DMARC policiesare published in the DNS as text (TXT) resource records (RR). They announce what an email receiver should do with non-aligned mail it receives.
Consider an example DMARC TXT RR for the domain “sender.easydmarc.com” that reads:

“v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]”

How Senders Deploy DMARC in 5-Easy Steps

DMARC is based on real-world experience by some of the world’s largest email senders and receivers deploying SPF and DKIM.

The specification takes into account the fact that it is nearly impossible for an organization to flip a switch to production. There are a number of built-in methods for “throttling” the DMARC processing so that all parties can ease into full deployment over time.

• Deploy DKIM & SPF. You have to cover the basics, first.
• Ensure that your mailers are correctly aligning the appropriate identifiers.
• Publish a DMARC record with the “none” flag set for the policies, which requests data reports.
• Analyze the data and modify your mail streams as appropriate.
• Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience.