Guide updated on 29th of February 2016

Implement DKIM


DomainKeys Identified Mail (DKIM) defines a domain-level authentication framework for email using public-key cryptography and key server technology to permit verification of the source and contents of messages by either Mail Transport Agents (MTAs) or Mail User Agents (MUAs).

DKIM is synthesized and enhanced Yahoo!'s DomainKeys and Cisco's Identified Internet Mail specifications. It enables mail servers to cryptographically sign the outbound messages they send, and allows the recipients of these signed messages to verify that they were sent by a server which is authorized to send mail for that domain.

More information available on http://www.dkim.org

Install Debian libdkim-dev package

aptitude install libdkim-dev

Replace the original qmail-remote binary by the qmail-remote DKIM wrapper script from Joerg Backschues + create spool directory

mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
cp /downloads/scripts/qmail-remote /var/qmail/bin/qmail-remote
chown root:qmail /var/qmail/bin/qmail-remote
chmod 0755 /var/qmail/bin/qmail-remote

mkdir -p /var/domainkeys
chown qmailr:qmail /var/domainkeys
chmod 0700 /var/domainkeys

Create your key

chmod +x /downloads/scripts/domainkey
/downloads/scripts/domainkey your-domain

Your keys are stored into /etc/domainkeys/your-domain/

Then you just have to put the TXT record in your DNS domain zone file !

List of optional features


Users comments
Julian - 24/03/2017 20:22

@Phyllis smith

Thank You!

Now outgoings mails ares signed..

Phyllis smith - 21/08/2016 21:41

OK - I got this.  I merged the qmail instruction with http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/ as follows:

1. Install libdomainkeys as indicated (the source was already downloaded)

2. Install ibdkim as indicated in my previous response (like in this blog, but I updated to .21)

3. qmailctl stop.  Then patch and install qmail according to the blog.  I did use the 7.10 patch that thibs included, rather than the 7.08.

4. Used the keys I generated in the qmailrocks instructions.  DO NOT change owners/permissions as suggested in the blog.

5. Added teh dksign control file.

6. qmailctl start.

Yeah! my e-mail now passes dkim.

Phyllis smith - 08/08/2016 00:15
I see that no one has touched this topic in over 2 years, but I'm really hoping that there are answers out there.

I've got dkim almost completely working with much trial and error. One of the biggest problems was how to get the dkim record into network solutions correctly. I've done that, but unforunately, my signature won't validate.

I had to do a couple of things to make it work at all. These might help someone who is also trying this.

1. To get the e-mail signed, I had to change the qmail-remote script to #!/bin/bash, rather than #!/bin/sh. Until I did this, I got no signature at all.

2. To solve the bardenhagen.com problem, I downloaded the .19 source for libdkim and patched it according to http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/. Then I downlaoded the 21 source and copied the patched makefile and manually edited the dkim.h file to merge the changes in the .19 version. I edited the libdkintest.cpp file and changed MYSELECTOR, MYDOMAIN and MYIDENTITY to reflect the correct values for my domain. Then I created a directory in /var/lib and moved the existing libdkim* files there (otherwsie the install fails). make all and make install. Maybe there's a better way, but I searched and searched and this finally worked.

Now, I'm signing my mail, but sadly the signature is showing up as invalid.

Using dkimvalidator.com, I get
result = fail
Details: message has been altered

---
Using http://www.appmaildev.com/en/dkim/, I get
DKIM result: permerror (bh=bodyhash absent)
DKIM-Signature: a=rsa-sha1; c=relaxed; d=csmiths.com; s=default;

        t=1470602255; x=1471466255; h=Received:From; b=je0xk17ULhNHbXrHt

        jM5Npz8Dgrhcs7/f6AyY3wvcpWZyWE

v+mDsY3UzCVYXrQxoDGpdnzLu0yW23LQ/X
DQMizXptRXSJd4wrZQRpAIjx5Y338OGOShGsdnQ2i0KSFBcmudGaGAfxiVDkNYH9
9pXirSU6siCpK1BLYua+JY9+lc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=csmiths.com;
s=default; t=1470602255; x=1471466255; h=Received:From; bh=uoq1o
CgLlTqpdDX/iUbLy7J1Wic=; b=pm+o9DTcfU6DiSTd+PMEB0+dw1vNg5JVRYxwG
SJ3JyyR1vIOJrk5qx3fi+WUKF3smbilpS9hA/nhEY+sYdArGe1f66Eze+0o5pply
9c82YpKqDmtjYwAYckAXhWF9Yv6uen7WH+MaVYteKtEkjxHjTwHBhDjUOcCM/6uo
prCrmU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=csmiths.com;
s=default; t=1470602255; x=1471466255; h=Received:From; bh=frcCV
1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=mgf6gpdyqjyMinNloZ0HZ
zOmu+5lVlFKerQCZeqocSdZTtn51faQMjZSN03ddAV/8E/JN2fDk35jY/fkIcDTV
NxRwRjg9LJcgrhKQ9w1u+4pl3FEtwB8/+6Hmg9Z0Von1casfHGsfj+nuNsYAjVVt
rIGKQZJJ+wZhsCM7aBUQsc=

----
If, I send mail to myself at gmail, I seeAuthentication-Results: mx.google.com;
       dkim=neutral (bad format) header.i=@csmiths.com;
       dkim=neutral (body hash did not verify) header.i=@csmiths.com;
       dkim=neutral (body hash did not verify) header.i=@csmiths.com;
DKIM-Signature: a=rsa-sha1; c=relaxed; d=csmiths.com; s=default;
        t=1470602255; x=1471466255; h=Received:From; b=je0xk17ULhNHbXrHt
        jM5Npz8Dgrhcs7/f6AyY3wvcpWZyWEv+mDsY3UzCVYXrQxoDGpdnzLu0yW23LQ/X
        DQMizXptRXSJd4wrZQRpAIjx5Y338OGOShGsdnQ2i0KSFBcmudGaGAfxiVDkNYH9
        9pXirSU6siCpK1BLYua+JY9+lc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=csmiths.com;
        s=default; t=1470602255; x=1471466255; h=Received:From; bh=uoq1o
        CgLlTqpdDX/iUbLy7J1Wic=; b=pm+o9DTcfU6DiSTd+PMEB0+dw1vNg5JVRYxwG
        SJ3JyyR1vIOJrk5qx3fi+WUKF3smbilpS9hA/nhEY+sYdArGe1f66Eze+0o5pply
        9c82YpKqDmtjYwAYckAXhWF9Yv6uen7WH+MaVYteKtEkjxHjTwHBhDjUOcCM/6uo
        prCrmU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=csmiths.com;
        s=default; t=1470602255; x=1471466255; h=Received:From; bh=frcCV
        1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=mgf6gpdyqjyMinNloZ0HZ
        zOmu+5lVlFKerQCZeqocSdZTtn51faQMjZSN03ddAV/8E/JN2fDk35jY/fkIcDTV
        NxRwRjg9LJcgrhKQ9w1u+4pl3FEtwB8/+6Hmg9Z0Von1casfHGsfj+nuNsYAjVVt
        rIGKQZJJ+wZhsCM7aBUQsc=

Possibly related to the fact of 3 different signatures, but I don't have any idea why this is happening or how to fix this.
Any ideas? I'd really like to get this working
Also, as everyone says - thanks for the fact that this guide exists.  This is my third time building qmail servers from scratch.  I'd be lost without you.
Phyllis

 

Cuchac - 05/11/2014 10:13

Hi!

I was able to make everything work using this How-To, but the hashes were always reported to be wrong. After few hours I discovered I have to add one line to qmail-remote DKIM wrapper script.

DKIM standard expects hashes to be calculated from message having crlf line ends. Linux by default have only lf, so I had to add command `unix2dos "$inmsg" 2> /dev/null` right before call to libdkimtest binary and hashes started to be correct.

Thanks for this How-To!

Thibs - 15/01/2013 16:35

Hello,

I have to make a brandnew install in February 2013. I'll retry it from the beginning to check if thoes explanations are still valid. I'll keep you informed

Yalcin - 03/01/2013 01:14

Hi Thibs,

I also have installed without any error but my mail are not signed. Any help is welcome.

Best regards,

Yalcin

Abel - 02/04/2012 21:55

I installed everything without errors and created the domainkeys, but the emails are not signet. Any ideas?

Scott - 04/03/2012 04:58

bardenhagen.com seems to be hardcoded into the libdkimtest binary (http://libdkim.sourcearchive.com/documentation/1:1.0.21-1/libdkimtest_8cpp-source.html) but if you revert to libdkim version 1.0.17 and use the patch provided here (http://www.backschues.net/backschues.net/know-how/qmail/dkim.htm) you can get your domain and selector to show up in the DKIM-Signature. I didn't get a chance due to time constraints but has anybody tried running the patch against the most recent version of libdkim?

 

After setting this up, I used http://www.allaboutspam.com/email-server-test/ as a test and the response for DKIM states "Email contains valid DKIM/Domain Keys Signature, but published Domain Keys policy does not specify whether to accept or reject such Emails. Please modify your Domain Keys policy to accept properly signed emails." Is that referring to DNS DKIM Policy Record, separate from the DNS DKIM Public Key Record (http://forum.unifiedemail.net/default.aspx?g=posts&t=51)?

Thibs - 02/09/2011 16:57

Hello Georgi,

I really wanted to thank you for your site http://www.pc-freak.net/blog/

It's really useful and I've found a lot of tips !

I'll read http://www.pc-freak.net/blog/how-to-enable-domain-keys-dkim-in-qmail-toaster-based-mail-server-install-on-debian-linux/ and adapt this page with your tips !

Friendly Regards!

 

 

Hip0 - 02/09/2011 13:28

Heya Thibs,

 

Some time ago, I've written a step by step tutorial explaining very widely the possible problems and solutions whether domainkeys needs to be implemented. Some of the readers might want to take a look.

http://www.pc-freak.net/blog/how-to-enable-domain-keys-dkim-in-qmail-toaster-based-mail-server-install-on-debian-linux/

 

You've done great job with this site!

I really enjoy and consult for so many things related to qmail.

Keep the good work up! ;)

 

Best,

Georgi

Jeff - 12/03/2011 16:47

I used Fred's way and got it to work.  Thanks Fred.

Jeff - 11/03/2011 22:39

When I implemented this, it has references to bardenhagen.com (which is not my domain) and I dont understand why it is in my DKIM-Signature.

 

DKIM-Signature:         a=rsa-sha1; c=relaxed; d=bardenhagen.com; s=MDaemon; l=2; t=1299877577; x=1300741577; h=Received:From; b=p bmGCt8boZlqmkLDpBovDtS/tc5qI/783O6kTd0C8oHohT6vOEX0pJ0wgRDTTafrG RzYcIxwaOWQ0pA4LZ18wEyvki0qR1CobzBLBb17Ynovoh6fxD5KWxmzDcDe4DTst KtYOmX97UElAKAVK9MwSiYDiSuwCQZhXalErmkYKHU=

Fred - 01/10/2010 01:32

There is another alternative described on http://manuel.mausz.at/coding/qmail-dkim/


Color Coded Qmail Installation Key
  Regular Black Text     Qmail installation notes and summaries by the author.
  Bold Black Text     Commands to be run by you, the installer.
  Bold/Regular Red Text    Vital and/or critical information.
  Regular Blue text     Denotes helpful tips and hints or hyperlinks.
  Regular Orange Text     Command line output.
  Bold/Regular green text     Denotes the contents of a file or script.