Domainkeys/Dkim with Postfix


If you want to use postfix to use domainkeys or dkim you can do it using dkimproxy

In this setup, we only want that outgoing mail are signed. As we known, yahoo and gmail uses it with spam checks.

First, change your from postfix file
submission inet n – y – – smtpd
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject

// put this in the same file, for example, at bottom is a good place
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

Now, is time to setup dkimproxy, since we are only interested in outgoin mail, we use dkimproxy.out instead, please, use devel version, at moment, stable version can’t sign both signatures at the same time. Tested using dkimproxy-1.0beta1.tar.gz
This example show how to sing more than one domain.

Create a new file.
# sign both and mail with both a domainkeys and dkim signature (put a new domain for each line) domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha256,c=relaxed) domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha1,c=relaxed)

As user root, is time to launch dkimproxy (change your values if necessary), in this case we run dkimproxy with user/group dkim
# groupadd -g 4321 dkim
# useradd -u 4321 -s /bin/false -d /dev/null -g dkim dkim

// launch it as a daemon
# dkimproxy.out –user=dkim –group=dkim –keyfile=/etc/postfix/etc/ssl/domainkeys/private.key –selector=yourselector –sender_map=/etc/postfix/ssl/domainkeys/domainkeyfile –daemonize –pidfile=/var/run/

Of course, it’s very important that you keep you port 25 for ‘normal’ mail and change it to port 587 if you want to use dkimproxy, check your mail client how to do that.

Now, your mail uses domainkeys/dkim headers :)

this is a mail headers example:

DomainKey-Signature: a=rsa-sha1; c=nofws;; h=date:subject:from:to:mime-version:content-type:message-id:content-transfer-encoding; q=dns; s=ireth; b=




DKIM-Signature: v=1; a=rsa-sha256; c=relaxed;; h=


content-transfer-encoding; q=dns/txt; s=myhost1; bh=gbf05R7SXafOIY

pmOvZ6JHiCsUiIu94mbMnHdz31av0=; b=jh8AB9KJUF2yarL9etKNcdCsICPssS





This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it. (read about openssl)

See you!


7 thoughts on “Domainkeys/Dkim with Postfix

  1. I installed dk-filter but in the header I see something like
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; ……
    instead of DomainKey-Signature how can I change it?

  2. dk-filter is not the same program as dkimproxy. The newest versions of dkimproxy can sign email headers using both the newer DKIM and the older DomainKeys signatures (if you want – the DomainKeys signature is optional).

  3. “This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it.”

    Wonderful howto but please, I do need to find out how to create the cryptographic keys and configure the dns. Where is the “main site” you refer to and any link in that direction would help.

  4. Hello,

    Check dkimproxy site when talking about howto using DKIMproxy to sign outbound messages:

    1. Generate a private/public key pair using OpenSSL:

    openssl genrsa -out private.key 1024
    openssl rsa -in private.key -pubout -out public.key

    This creates the files private.key and public.key in the current directory, containing the private key and public key. Make sure private.key is not world-readable, but still readable by the dkim user.
    2. Pick a selector name… e.g. selector1
    3. Put the public-key data in DNS, in your domain, using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:

    selector1._domainkey IN TXT “k=rsa; t=s; p=MHwwDQYJK … OprwIDAQAB”

    where selector1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.


  5. I can successfully sign outgoing mail when using one domian using the –conf_file option but when i add the domains into –sender_map it will not work no matter what configuration i try i keep getting “DKIM signing – skipped” in the logs. this is using Version: 1.0.1-8.1 from debian lenny. Its not giving any errors, do you know if this version should be able to sign two different domains properly?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s