DKIM: Difference between revisions

From DWIKI
← Older edit
Tony (talk | contribs)
7,289 edits
Tony (talk | contribs)
7,289 edits
Tony (talk | contribs)
7,289 edits
Tag: wikieditor
 
(40 intermediate revisions by the same user not shown)
Line 1: Line 1:


= DomainKeys Identified Mail =
'''DomainKeys Identified Mail'''


== Links ==


= Links =
==DKIM checks==
[https://dkimvalidator.com/ DKIMvalidator]
*[http://dkimcore.org/tools/keycheck.html dkim check]  
*[http://dkimcore.org/tools/keycheck.html dkim check]  
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test]
==DKIM documentation==
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]  
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]  
*[https://help.ubuntu.com/community/Postfix/dkim-milter https://help.ubuntu.com/community/Postfix/dkim-milter] Postfix and dkim-milter]  
*[https://help.ubuntu.com/community/Postfix/dkim-milter Postfix and dkim-milter]  
*[http://dkim.org/ Homepage]
*[https://www.samlogic.net/articles/dkim--cname-or-txt.htm DKIM with CNAME or TXT]
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README]  
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]  
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]  
*[[DKIM_with_Sendmail|DKIM with Sendmail]]  
*[[DKIM_with_Sendmail|DKIM with Sendmail]]  
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]  
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]  
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test]
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]  
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]  
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/  DKIM on relay server]
*[[OpenDKIM]]
 
 
 
 
= OpenDKIM Howto =
 
cd /etc/opendkim/keys
 
The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
 
opendkim-genkey -s somename -d domain.name
 
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim
 
== SigningTable ==


#somename is the first field in Keytable
*[https://diziet.dreamwidth.org/16025.html dkim key rotation]


*@domain.name somename
=DKIM tags=
* https://mxtoolbox.com/dmarc/dkim/dkim-signature-tags


== KeyTable ==


Here the name of the selector (the part before ._domainkey) is the one you publish in dns
=Tools=
==dkimverify==


  somename domain.name:selectorname:/path/to/somename.private
=HOWTO=
==Find published dkim key==
In mailheader look for 'd=' and 's=' to get domain and selector, then
  dig <selector>._domainkey.<domain> TXT


==Configuration file /etc/opendkim.conf==
==Check if keys match==
  Mode    s
  dig myselector._domainkey.example.com txt
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable


== Postfix ==
and save the bit from "p=" to '''public.key.b64'''
You will probably need to remove the quotes/spaces:
| sed 's/[\" \"|\"$]//g'


In /etc/postfix/main.cf:
openssl enc -base64 -d -in public.key.b64 -out public.key
openssl rsa -pubin -inform DER -in public.key -noout -modulus
and compare the shown modulus with
openssl rsa -in private.key -noout -modulus


&nbsp;
They should be identical
 
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
 
&nbsp;
 
= Checking =
 
opendkim-testkey -d domain.name -s selectorname -v -k keys/keyname.private
 
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
 
*[https://www.dmarcanalyzer.com/nl/dkim-record-validatie/ https://www.dmarcanalyzer.com/nl/dkim-record-validatie/]


= FAQ =
= FAQ =
 
[[Category:Mail]]
== opendkim: no signing table match for ==
 
In opendkim.conf use:
 
refile:/etc/opendkim/SigningTable
 
== opendkim-testkey key not secure ==
 
Probably means you have no DNSSEC
 
&nbsp;
 
== opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory ==
 
Means it's defined in opendkim.conf, and you're not using KeyTable
 
&nbsp;
 
== This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode ==
 
??

Latest revision as of 07:12, 29 April 2026

DomainKeys Identified Mail


Links

DKIM checks

DKIMvalidator

DKIM documentation

DKIM tags


Tools

dkimverify

HOWTO

Find published dkim key

In mailheader look for 'd=' and 's=' to get domain and selector, then 

dig <selector>._domainkey.<domain> TXT

Check if keys match

dig myselector._domainkey.example.com txt

and save the bit from "p=" to public.key.b64 You will probably need to remove the quotes/spaces: 

| sed 's/[\" \"|\"$]//g' 

openssl enc -base64 -d -in public.key.b64 -out public.key
openssl rsa -pubin -inform DER -in public.key -noout -modulus

and compare the shown modulus with 

openssl rsa -in private.key -noout -modulus

They should be identical

FAQ

Retrieved from "https://wiki.dhits.nl/index.php?title=DKIM&oldid=10412"