SPF is quite good – DKIM is better, use both to become best and then, enable DMARC ;)

Please read our article regarding SPF enabling, since we require this to be enabled to follow those steps.

This guide is meant for Debian stretch:)


Here we go:

Install the tools

apt-get install opendkim opendkim-tools

Set hings up

The  Main magic happens within the config file:


where we added the following lines ( to the bottom )

Socket inet:8892@localhost
KeyTable /etc/opendkim/key.table
SigningTable /etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted_hosts.table
InternalHosts /etc/opendkim/trusted_hosts.table
AutoRestart Yes
AutoRestartRate 10/1h
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
Canonicalization relaxed/simple
UserID opendkim:opendkim


Ok, before we start through, we need to define some trusted hosts.

Edit the file:  /etc/opendkim/trusted_hosts.table and add the following lines (or more, try to match mynetworks from postfix):



Afterwards we create a dir structure to represent our needs:

mkdir /etc/opendkim/

mkdir /etc/opendkim/domains/

mkdir /etc/opendkim/domains/domain1.de/

mkdir /etc/opendkim/domains/domain2.info/


Now, let’s create a key for our first domain and transfer ownership to  user & group opendkim ;)

opendkim-genkey --directory=/etc/opendkim/domains/domain1.de/ --bits=2048 --restrict --selector=20180712 --domain=domain1.de
chown opendkim:opendkim /etc/opendkim/domains/domain1.de/20180712.private


Ok – Short overview for people that are too lazy to type opendkim-genkey –help

–directory= place to store the generated key

–bits= key strength (length)

restrict restrict that key only to mailing

–selector= identifier for the key – using an timestamp is recommended

–domain= guess what !


Ok, once we’re done we need to tell the daemon to which key is for which domain …

Therefore we need two files defined in our config:


Edit /etc/opendkim/key.table, add the following line:

domain1.de-20180712     domain1.de:20180712:/etc/opendkim/domains/domain1.de/20180712.private

column1:  give your key a name

column2:  match the domain, the identifier and the actual key file


Edit /etc/opendkim/signing.table, add  the following line:

domain1.de     domain1.de-20180712

you could also do:

*@domain1.de     domain1.de-20180712

this gives you several matching possibilities ever needed :)


Ok, we’re quite close now ;)

Enter the following line from the file /etc/opendkim/domains/domain1.de/20180712.txt to your DNS Server

20180712._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
"8HsauSOXwoAGEOf765HMif+DL7TKAEJHJpdxmo5+B3NslJBMpS61hWACEmz3db7IUtfAl1uczNrX4sRNGU4sRRBNoM1bxwTNA6aonjxTIMGoHFf1YFneoXte1PPxRDEKv0tyVxJegjKuSQ46ZTjSqpzFt16P79WvhA/0ZsrGR8b7wNV5UuH1k0u/S7KTZvFerNXCD6YJghH7MR0pH7I/xFTcof/JPDRPHzcCAwEAAQ==" ) ; ----- DKIM key 20180712 for domain1.de

and verify (after the dns refresh interval) via

dig TXT 20180712._domainkey.domain1.de

The result should be your entry ;)


ok – ready to go – GO:

start opendkim

/etc/init.d/opendkim start

and give it a test

opendkim-testkey -d domain1.de -s 20180712 -vvv

return should look like

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key ‚20180712._domainkey.domain1.de‘
opendkim-testkey: key not secure
opendkim-testkey: key OK

Do not worry about the „KEY NOT SECURE“ message, this is related to DNSSEC (which is a whole other  topic).


Connecting the dots

Assuming, everything is up & running, we still need to embed everything into our postfix world.

If you do not have any milters running, just add the following to your /etc/postfix/main.cf.

###  - DKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

If  there are already milters, just add the dkim as additional one ;)

For testing reasons, you also might want to add “ soft_bounce=yes“ to your main.cf



ok – now that we’re done with the setup, its time for testing ;)

Go to https://mxtoolbox.com/ and enter your domain – it will check most of the settings for you

Write an email from your email@domain1.de address to you@gmail.com and see if the mail will arrive there without problems.

Watch your logs !


Wait we’re still not done ?

Nope, there’s still one step needed for enabling DMARC.

As mentioned above, SPF is required for setting up functional DMARC.

Good news: DMARD is just one step (DNS TXT record to do) ;)

My recommendation:

Go here: https://mxtoolbox.com/DMARCRecordGenerator.aspx?domain=domain1.de and customize the DMARD record to your needs.

So we would now set a TXT record for domain1.de like this:

_DMARK.domain1.de     IN     TXT     v=DMARC1; p=none; rua=mailto:862a4bf2@mxtoolbox.dmarc-report.com; ruf=mailto:862a4bf2@forensics.dmarc-report.com

of course you can set your own notification addresses ;) (we recommend that)