Guide updated on 29th of February 2016

Implement DKIM


DomainKeys Identified Mail (DKIM) defines a domain-level authentication framework for email using public-key cryptography and key server technology to permit verification of the source and contents of messages by either Mail Transport Agents (MTAs) or Mail User Agents (MUAs).

DKIM is synthesized and enhanced Yahoo!'s DomainKeys and Cisco's Identified Internet Mail specifications. It enables mail servers to cryptographically sign the outbound messages they send, and allows the recipients of these signed messages to verify that they were sent by a server which is authorized to send mail for that domain.

More information available on http://www.dkim.org

Install Debian libdkim-dev package

aptitude install libdkim-dev

Replace the original qmail-remote binary by the qmail-remote DKIM wrapper script from Joerg Backschues + create spool directory

mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
cp /downloads/scripts/qmail-remote /var/qmail/bin/qmail-remote
chown root:qmail /var/qmail/bin/qmail-remote
chmod 0755 /var/qmail/bin/qmail-remote

mkdir -p /var/domainkeys
chown qmailr:qmail /var/domainkeys
chmod 0700 /var/domainkeys

Create your key

chmod +x /downloads/scripts/domainkey
/downloads/scripts/domainkey your-domain

Your keys are stored into /etc/domainkeys/your-domain/

Then you just have to put the TXT record in your DNS domain zone file !

List of optional features


Users comments
Mike2 - 27/12/2018 15:49
Received: from mail.technetinternetsolutions.ro (188-27-126-200.rdsnet.ro [188.27.126.200])
	by relay-4.us-west-2.relay-prod (Postfix) with ESMTPS id 343A326C29
	for <5yquXn2ZUHkz7Z@dkimvalidator.com>; Thu, 27 Dec 2018 14:11:26 +0000 (UTC)
DKIM-Signature: a=rsa-sha1; c=relaxed;
	d=technetinternetsolutions.ro; s=default; t=1545919884;
	x=1546783884; h=Received:From; b=XjznhLaGr2WmUnr7FGJ+n4eio8DB5WL
	+WpiPAJ+uYzb8Psxe49Yzfwl8W+ENMww85TO2ESXg6GS5+I5tG3zdiwOvMK3H3Hp
	fPKb0lN2H9iUVt2vGi6/bk7l3xwz07jR7O28KXFIfFDp95kZOM4bzbhPosKx4PlZ
	Rro8CZewzr6M=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;
	d=technetinternetsolutions.ro; s=default; t=1545919884;
	x=1546783884; h=Received:From; bh=uoq1oCgLlTqpdDX/iUbLy7J1Wic=;
	b=n+P/V94/iCOVo2lBjpFzYquNvRKXxl3FnLTuo+cnnwnlY4rsa+5kbteo4wWVlU
	lEQpCQt2LQvsfaQH4uhYGjNFydJS2exxZCXU30yJMxkjMw0nQyuOn9tobpWD5F5v
	RTCKZla3bp/Md3F84Z00TI7BzbqnFdYXTz722L6A0Xv5o=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed;
	d=technetinternetsolutions.ro; s=default; t=1545919884;
	x=1546783884; h=Received:From; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RS
	N/XKdLCPjaYaY=; b=PUe2LiH5TAXj0o5+NnV3jwdnPrKNWJ5Xq5RnP5EL5uS+Wp
	uw2Yrvt0FmerqFkwjRXH+4wBNyLp1cSgz4YyVMBJywYWdxRgrbZr9cIPek3uVJ/e
	2aAdURAqsghyuRevHSuqFxrsPgZKxBf7JXDSWqcxsXWi3YUJZoLhEYHKS8nmU=
Received: (qmail 28987 invoked by uid 33); 27 Dec 2018 16:11:23 +0200

The error above is what im getting, i just do not get any dkim hashes out, and im at the end of my knowledge. Anybody seen this before ? Cheers guys.
Mike1 - 20/11/2018 16:37

I wish it was that simple, im afraid the below tutorial on how to install dkim failed me, im not english native speaker so i must have missed something somewhere, the idea is it doesnt work for me, i get qmail-remote unable to run... does anybody have somewhere an idiots guide on how to install this ?

Torsten - 19/11/2018 22:00

If you get an error when validating the DKIM or SPF implementation, just test with another tool, a good one is EmailTooler.com.

I use this one:
https://www.emailtooler.com/authentication-validator/

 

Mike - 13/11/2018 09:58

Im afraid for me the tutorial below failed, either im not doing something right, or it doesnt work...

Julian - 24/03/2017 19:22

@Phyllis smith

Thank You!

Now outgoings mails ares signed..

Phyllis smith - 21/08/2016 19:41

OK - I got this.  I merged the qmail instruction with http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/ as follows:

1. Install libdomainkeys as indicated (the source was already downloaded)

2. Install ibdkim as indicated in my previous response (like in this blog, but I updated to .21)

3. qmailctl stop.  Then patch and install qmail according to the blog.  I did use the 7.10 patch that thibs included, rather than the 7.08.

4. Used the keys I generated in the qmailrocks instructions.  DO NOT change owners/permissions as suggested in the blog.

5. Added teh dksign control file.

6. qmailctl start.

Yeah! my e-mail now passes dkim.

Phyllis smith - 07/08/2016 22:15
I see that no one has touched this topic in over 2 years, but I'm really hoping that there are answers out there.

I've got dkim almost completely working with much trial and error. One of the biggest problems was how to get the dkim record into network solutions correctly. I've done that, but unforunately, my signature won't validate.

I had to do a couple of things to make it work at all. These might help someone who is also trying this.

1. To get the e-mail signed, I had to change the qmail-remote script to #!/bin/bash, rather than #!/bin/sh. Until I did this, I got no signature at all.

2. To solve the bardenhagen.com problem, I downloaded the .19 source for libdkim and patched it according to http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/. Then I downlaoded the 21 source and copied the patched makefile and manually edited the dkim.h file to merge the changes in the .19 version. I edited the libdkintest.cpp file and changed MYSELECTOR, MYDOMAIN and MYIDENTITY to reflect the correct values for my domain. Then I created a directory in /var/lib and moved the existing libdkim* files there (otherwsie the install fails). make all and make install. Maybe there's a better way, but I searched and searched and this finally worked.

Now, I'm signing my mail, but sadly the signature is showing up as invalid.

Using dkimvalidator.com, I get
result = fail
Details: message has been altered

---
Using http://www.appmaildev.com/en/dkim/, I get
DKIM result: permerror (bh=bodyhash absent)
DKIM-Signature: a=rsa-sha1; c=relaxed; d=csmiths.com; s=default;

        t=1470602255; x=1471466255; h=Received:From; b=je0xk17ULhNHbXrHt

        jM5Npz8Dgrhcs7/f6AyY3wvcpWZyWE

v+mDsY3UzCVYXrQxoDGpdnzLu0yW23LQ/X
DQMizXptRXSJd4wrZQRpAIjx5Y338OGOShGsdnQ2i0KSFBcmudGaGAfxiVDkNYH9
9pXirSU6siCpK1BLYua+JY9+lc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=csmiths.com;
s=default; t=1470602255; x=1471466255; h=Received:From; bh=uoq1o
CgLlTqpdDX/iUbLy7J1Wic=; b=pm+o9DTcfU6DiSTd+PMEB0+dw1vNg5JVRYxwG
SJ3JyyR1vIOJrk5qx3fi+WUKF3smbilpS9hA/nhEY+sYdArGe1f66Eze+0o5pply
9c82YpKqDmtjYwAYckAXhWF9Yv6uen7WH+MaVYteKtEkjxHjTwHBhDjUOcCM/6uo
prCrmU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=csmiths.com;
s=default; t=1470602255; x=1471466255; h=Received:From; bh=frcCV
1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=mgf6gpdyqjyMinNloZ0HZ
zOmu+5lVlFKerQCZeqocSdZTtn51faQMjZSN03ddAV/8E/JN2fDk35jY/fkIcDTV
NxRwRjg9LJcgrhKQ9w1u+4pl3FEtwB8/+6Hmg9Z0Von1casfHGsfj+nuNsYAjVVt
rIGKQZJJ+wZhsCM7aBUQsc=

----
If, I send mail to myself at gmail, I seeAuthentication-Results: mx.google.com;
       dkim=neutral (bad format) header.i=@csmiths.com;
       dkim=neutral (body hash did not verify) header.i=@csmiths.com;
       dkim=neutral (body hash did not verify) header.i=@csmiths.com;
DKIM-Signature: a=rsa-sha1; c=relaxed; d=csmiths.com; s=default;
        t=1470602255; x=1471466255; h=Received:From; b=je0xk17ULhNHbXrHt
        jM5Npz8Dgrhcs7/f6AyY3wvcpWZyWEv+mDsY3UzCVYXrQxoDGpdnzLu0yW23LQ/X
        DQMizXptRXSJd4wrZQRpAIjx5Y338OGOShGsdnQ2i0KSFBcmudGaGAfxiVDkNYH9
        9pXirSU6siCpK1BLYua+JY9+lc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=csmiths.com;
        s=default; t=1470602255; x=1471466255; h=Received:From; bh=uoq1o
        CgLlTqpdDX/iUbLy7J1Wic=; b=pm+o9DTcfU6DiSTd+PMEB0+dw1vNg5JVRYxwG
        SJ3JyyR1vIOJrk5qx3fi+WUKF3smbilpS9hA/nhEY+sYdArGe1f66Eze+0o5pply
        9c82YpKqDmtjYwAYckAXhWF9Yv6uen7WH+MaVYteKtEkjxHjTwHBhDjUOcCM/6uo
        prCrmU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=csmiths.com;
        s=default; t=1470602255; x=1471466255; h=Received:From; bh=frcCV
        1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=mgf6gpdyqjyMinNloZ0HZ
        zOmu+5lVlFKerQCZeqocSdZTtn51faQMjZSN03ddAV/8E/JN2fDk35jY/fkIcDTV
        NxRwRjg9LJcgrhKQ9w1u+4pl3FEtwB8/+6Hmg9Z0Von1casfHGsfj+nuNsYAjVVt
        rIGKQZJJ+wZhsCM7aBUQsc=

Possibly related to the fact of 3 different signatures, but I don't have any idea why this is happening or how to fix this.
Any ideas? I'd really like to get this working
Also, as everyone says - thanks for the fact that this guide exists.  This is my third time building qmail servers from scratch.  I'd be lost without you.
Phyllis

 

Cuchac - 05/11/2014 09:13

Hi!

I was able to make everything work using this How-To, but the hashes were always reported to be wrong. After few hours I discovered I have to add one line to qmail-remote DKIM wrapper script.

DKIM standard expects hashes to be calculated from message having crlf line ends. Linux by default have only lf, so I had to add command `unix2dos "$inmsg" 2> /dev/null` right before call to libdkimtest binary and hashes started to be correct.

Thanks for this How-To!

Thibs - 15/01/2013 15:35

Hello,

I have to make a brandnew install in February 2013. I'll retry it from the beginning to check if thoes explanations are still valid. I'll keep you informed

Yalcin - 03/01/2013 00:14

Hi Thibs,

I also have installed without any error but my mail are not signed. Any help is welcome.

Best regards,

Yalcin

Abel - 02/04/2012 19:55

I installed everything without errors and created the domainkeys, but the emails are not signet. Any ideas?

Scott - 04/03/2012 03:58

bardenhagen.com seems to be hardcoded into the libdkimtest binary (http://libdkim.sourcearchive.com/documentation/1:1.0.21-1/libdkimtest_8cpp-source.html) but if you revert to libdkim version 1.0.17 and use the patch provided here (http://www.backschues.net/backschues.net/know-how/qmail/dkim.htm) you can get your domain and selector to show up in the DKIM-Signature. I didn't get a chance due to time constraints but has anybody tried running the patch against the most recent version of libdkim?

 

After setting this up, I used http://www.allaboutspam.com/email-server-test/ as a test and the response for DKIM states "Email contains valid DKIM/Domain Keys Signature, but published Domain Keys policy does not specify whether to accept or reject such Emails. Please modify your Domain Keys policy to accept properly signed emails." Is that referring to DNS DKIM Policy Record, separate from the DNS DKIM Public Key Record (http://forum.unifiedemail.net/default.aspx?g=posts&t=51)?

Thibs - 02/09/2011 14:57

Hello Georgi,

I really wanted to thank you for your site http://www.pc-freak.net/blog/

It's really useful and I've found a lot of tips !

I'll read http://www.pc-freak.net/blog/how-to-enable-domain-keys-dkim-in-qmail-toaster-based-mail-server-install-on-debian-linux/ and adapt this page with your tips !

Friendly Regards!

 

 

Hip0 - 02/09/2011 11:28

Heya Thibs,

 

Some time ago, I've written a step by step tutorial explaining very widely the possible problems and solutions whether domainkeys needs to be implemented. Some of the readers might want to take a look.

http://www.pc-freak.net/blog/how-to-enable-domain-keys-dkim-in-qmail-toaster-based-mail-server-install-on-debian-linux/

 

You've done great job with this site!

I really enjoy and consult for so many things related to qmail.

Keep the good work up! ;)

 

Best,

Georgi

Jeff - 12/03/2011 15:47

I used Fred's way and got it to work.  Thanks Fred.

Jeff - 11/03/2011 21:39

When I implemented this, it has references to bardenhagen.com (which is not my domain) and I dont understand why it is in my DKIM-Signature.

 

DKIM-Signature:         a=rsa-sha1; c=relaxed; d=bardenhagen.com; s=MDaemon; l=2; t=1299877577; x=1300741577; h=Received:From; b=p bmGCt8boZlqmkLDpBovDtS/tc5qI/783O6kTd0C8oHohT6vOEX0pJ0wgRDTTafrG RzYcIxwaOWQ0pA4LZ18wEyvki0qR1CobzBLBb17Ynovoh6fxD5KWxmzDcDe4DTst KtYOmX97UElAKAVK9MwSiYDiSuwCQZhXalErmkYKHU=

Fred - 30/09/2010 23:32

There is another alternative described on http://manuel.mausz.at/coding/qmail-dkim/


Color Coded Qmail Installation Key
  Regular Black Text     Qmail installation notes and summaries by the author.
  Bold Black Text     Commands to be run by you, the installer.
  Bold/Regular Red Text    Vital and/or critical information.
  Regular Blue text     Denotes helpful tips and hints or hyperlinks.
  Regular Orange Text     Command line output.
  Bold/Regular green text     Denotes the contents of a file or script.