SPF is quite good – DKIM is better, use both to become best and then, enable DMARC ūüėČ

Please read our article regarding SPF enabling, since we require this to be enabled to follow those steps.

This guide is meant for Debian stretch:)


Here we go:

Install the tools

apt-get install opendkim opendkim-tools

Set hings up

The  Main magic happens within the config file:


where we added the following lines ( to the bottom )

Socket inet:8892@localhost
KeyTable /etc/opendkim/key.table
SigningTable /etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted_hosts.table
InternalHosts /etc/opendkim/trusted_hosts.table
AutoRestart Yes
AutoRestartRate 10/1h
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
Canonicalization relaxed/simple
UserID opendkim:opendkim


Ok, before we start through, we need to define some trusted hosts.

Edit the file:  /etc/opendkim/trusted_hosts.table and add the following lines (or more, try to match mynetworks from postfix):



Afterwards we create a dir structure to represent our needs:

mkdir /etc/opendkim/

mkdir /etc/opendkim/domains/

mkdir /etc/opendkim/domains/domain1.de/

mkdir /etc/opendkim/domains/domain2.info/


Now, let’s create a key for our first domain and transfer ownership to¬† user & group opendkim ūüėČ

opendkim-genkey --directory=/etc/opendkim/domains/domain1.de/ --bits=2048 --restrict --selector=20180712 --domain=domain1.de
chown opendkim:opendkim /etc/opendkim/domains/domain1.de/20180712.private


Ok – Short overview for people that are too lazy to type¬†opendkim-genkey¬†–help

–directory= place to store the generated key

–bits= key strength (length)

restrict restrict that key only to mailing

–selector= identifier for the key – using an timestamp is recommended

–domain= guess what !


Ok, once we’re done we need to tell the daemon to which key is for which domain …

Therefore we need two files defined in our config:


Edit /etc/opendkim/key.table, add the following line:

domain1.de-20180712     domain1.de:20180712:/etc/opendkim/domains/domain1.de/20180712.private

column1:  give your key a name

column2:  match the domain, the identifier and the actual key file


Edit /etc/opendkim/signing.table, add  the following line:

domain1.de     domain1.de-20180712

you could also do:

*@domain1.de     domain1.de-20180712

this gives you several matching possibilities ever needed ūüôā


Ok, we’re quite close now ūüėČ

Enter the following line from the file /etc/opendkim/domains/domain1.de/20180712.txt to your DNS Server

20180712._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
"8HsauSOXwoAGEOf765HMif+DL7TKAEJHJpdxmo5+B3NslJBMpS61hWACEmz3db7IUtfAl1uczNrX4sRNGU4sRRBNoM1bxwTNA6aonjxTIMGoHFf1YFneoXte1PPxRDEKv0tyVxJegjKuSQ46ZTjSqpzFt16P79WvhA/0ZsrGR8b7wNV5UuH1k0u/S7KTZvFerNXCD6YJghH7MR0pH7I/xFTcof/JPDRPHzcCAwEAAQ==" ) ; ----- DKIM key 20180712 for domain1.de

and verify (after the dns refresh interval) via

dig TXT 20180712._domainkey.domain1.de

The result should be your entry ūüėČ


ok – ready to go – GO:

start opendkim

/etc/init.d/opendkim start

and give it a test

opendkim-testkey -d domain1.de -s 20180712 -vvv

return should look like

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key ‚20180712._domainkey.domain1.de‘
opendkim-testkey: key not secure
opendkim-testkey: key OK

Do not worry about the „KEY NOT SECURE“ message, this is related to DNSSEC (which is a whole other¬† topic).


Connecting the dots

Assuming, everything is up & running, we still need to embed everything into our postfix world.

If you do not have any milters running, just add the following to your /etc/postfix/main.cf.

###  - DKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

If¬† there are already milters, just add the dkim as additional one ūüėČ

For testing reasons, you also might want to add “ soft_bounce=yes“ to your main.cf



ok – now that we’re done with the setup, its time for testing ūüėČ

Go to https://mxtoolbox.com/ and enter your domain – it will check most of the settings for you

Write an email from your email@domain1.de address to you@gmail.com and see if the mail will arrive there without problems.

Watch your logs !


Wait we’re still not done ?

Nope, there’s still one step needed for enabling DMARC.

As mentioned above, SPF is required for setting up functional DMARC.

Good news: DMARD is just¬†one step (DNS TXT record to do) ūüėČ

My recommendation:

Go here: https://mxtoolbox.com/DMARCRecordGenerator.aspx?domain=domain1.de and customize the DMARD record to your needs.

So we would now set a TXT record for domain1.de like this:

_DMARK.domain1.de     IN     TXT     v=DMARC1; p=none; rua=mailto:862a4bf2@mxtoolbox.dmarc-report.com; ruf=mailto:862a4bf2@forensics.dmarc-report.com

of course you can set your own notification addresses ūüėČ (we recommend that)