DKIM: Difference between revisions

From DWIKI
← Older edit
Tony (talk | contribs)
7,289 edits
Tony (talk | contribs)
7,289 edits
Tony (talk | contribs)
7,289 edits
Tag: wikieditor
 
(31 intermediate revisions by the same user not shown)
Line 1: Line 1:


= DomainKeys Identified Mail =
'''DomainKeys Identified Mail'''


== Links ==


= Links =
==DKIM checks==
[https://dkimvalidator.com/ DKIMvalidator]
*[http://dkimcore.org/tools/keycheck.html dkim check]  
*[http://dkimcore.org/tools/keycheck.html dkim check]  
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test]
==DKIM documentation==
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]  
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]  
*[https://help.ubuntu.com/community/Postfix/dkim-milter https://help.ubuntu.com/community/Postfix/dkim-milter] Postfix and dkim-milter]  
*[https://help.ubuntu.com/community/Postfix/dkim-milter Postfix and dkim-milter]  
*[http://dkim.org/ DKIM Homepage]
*[https://www.samlogic.net/articles/dkim--cname-or-txt.htm DKIM with CNAME or TXT]
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README]  
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]  
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]  
*[[DKIM_with_Sendmail|DKIM with Sendmail]]  
*[[DKIM_with_Sendmail|DKIM with Sendmail]]  
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]  
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]  
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test]
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]  
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]  
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/  DKIM on relay server]
*[[OpenDKIM]]


 
*[https://diziet.dreamwidth.org/16025.html dkim key rotation]


=DKIM tags=
* https://mxtoolbox.com/dmarc/dkim/dkim-signature-tags


= OpenDKIM Howto =
On Ubuntu you might have to create:
mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys


Then
=Tools=
cd /etc/opendkim/keys
==dkimverify==


The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
=HOWTO=
==Find published dkim key==
In mailheader look for 'd=' and 's=' to get domain and selector, then
dig <selector>._domainkey.<domain> TXT


  opendkim-genkey -s somename -d domain.name
==Check if keys match==
  dig myselector._domainkey.example.com txt


Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
and save the bit from "p=" to '''public.key.b64'''
  chown -R opendkim.opendkim /etc/opendkim/keys
You will probably need to remove the quotes/spaces:
  | sed 's/[\" \"|\"$]//g'


== SigningTable ==
openssl enc -base64 -d -in public.key.b64 -out public.key
openssl rsa -pubin -inform DER -in public.key -noout -modulus
and compare the shown modulus with
openssl rsa -in private.key -noout -modulus


#somename is the first field in Keytable
They should be identical
 
*@domain.name somename
 
== KeyTable ==
 
Here the name of the selector (the part before ._domainkey) is the one you publish in dns
 
somename domain.name:selectorname:/path/to/somename.private
 
==Configuration file /etc/opendkim.conf==
Mode    s
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
 
 
== Postfix ==
 
In /etc/postfix/main.cf:
 
&nbsp;
 
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
 
&nbsp;
 
= Checking =
 
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
 
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
 
*[https://www.dmarcanalyzer.com/nl/dkim-record-validatie/ https://www.dmarcanalyzer.com/nl/dkim-record-validatie/]
 
==WARNING:Unsafe permissions==
make readable for user opendkim only
 
 
==keys do not match==
Try
opendkim-testkey -d domain.name -s selectorname -vv


= FAQ =
= FAQ =
== opendkim: no signing table match for ==
In opendkim.conf use:
refile:/etc/opendkim/SigningTable
== opendkim-testkey key not secure ==
Probably means you have no DNSSEC
==opendkim-testkey: keys do not match==
probably means double check Keytable
== opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory ==
Means it's defined in opendkim.conf, and you're not using KeyTable
&nbsp;
== This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode ==
??
== opendkim.service: Start request repeated too quickly. ==
Probably rights somewhere, try
opendkim -v
[[Category:Mail]]
[[Category:Mail]]

Latest revision as of 07:12, 29 April 2026

DomainKeys Identified Mail


Links

DKIM checks

DKIMvalidator

DKIM documentation

DKIM tags


Tools

dkimverify

HOWTO

Find published dkim key

In mailheader look for 'd=' and 's=' to get domain and selector, then 

dig <selector>._domainkey.<domain> TXT

Check if keys match

dig myselector._domainkey.example.com txt

and save the bit from "p=" to public.key.b64 You will probably need to remove the quotes/spaces: 

| sed 's/[\" \"|\"$]//g' 

openssl enc -base64 -d -in public.key.b64 -out public.key
openssl rsa -pubin -inform DER -in public.key -noout -modulus

and compare the shown modulus with 

openssl rsa -in private.key -noout -modulus

They should be identical

FAQ

Retrieved from "https://wiki.dhits.nl/index.php?title=DKIM&oldid=10412"