Fixing DKIM Signing Issues with OpenDKIM and Postfix
If your mail server sends messages but external tools report "Your message is not signed with DKIM", the issue is usually related to a missing configuration in OpenDKIM.
A common situation is when the trusted.hosts file does not exist or when OpenDKIM does not know which domains and keys it should use for signing outgoing mail.
Below is a structured guide to correctly configure OpenDKIM together with Postfix and ensure that your outgoing email is properly signed.
1. Create the trusted.hosts File
This file defines which hosts are allowed to send mail that OpenDKIM should sign.
sudo nano /etc/opendkim/trusted.hostsAdd the following content:
127.0.0.1
localhost
::1
vindazo.nl
*.vindazo.nlSave and exit the file.
2. Complete the OpenDKIM Configuration
Open the main configuration file:
sudo nano /etc/opendkim.confEnsure the following parameters are present:
Syslog yes
LogWhy yes
Canonicalization relaxed/simple
Mode sv
SubDomains no
Socket inet:8891@localhost
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
InternalHosts /etc/opendkim/trusted.hosts
ExternalIgnoreList /etc/opendkim/trusted.hostsThese settings tell OpenDKIM:
- Where to find the DKIM keys
- Which domains should be signed
- Which hosts are trusted to send mail
- How Postfix communicates with OpenDKIM
3. Verify the Default Socket Configuration
Ubuntu may override the socket configuration through the default settings file.
sudo nano /etc/default/opendkimMake sure this line is active:
SOCKET="inet:8891@localhost"Other socket definitions should remain commented out.
4. Verify DKIM Private Key Permissions
OpenDKIM must be able to read the private key used for signing.
ls -l /etc/opendkim/keys/vindazo.nl/mail.privateIf necessary, correct the permissions:
sudo chown opendkim:opendkim /etc/opendkim/keys/vindazo.nl/mail.private
sudo chmod 600 /etc/opendkim/keys/vindazo.nl/mail.private5. Restart the Services
After updating the configuration, restart both services.
sudo systemctl restart opendkim
sudo systemctl restart postfixThen confirm OpenDKIM is listening on port 8891:
systemctl status opendkim
ss -lntp | grep 88916. Check Logs While Sending a Test Email
Open a live log viewer:
tail -f /var/log/mail.log | grep -i opendkimSend a test email. If everything works correctly, you should see messages indicating that a DKIM signature has been added.
7. Example Working Configuration
/etc/opendkim/key.table
mail._domainkey.vindazo.nl vindazo.nl:mail:/etc/opendkim/keys/vindazo.nl/mail.private/etc/opendkim/signing.table
*@vindazo.nl mail._domainkey.vindazo.nl/etc/opendkim/trusted.hosts
127.0.0.1
localhost
::1
vindazo.nl
*.vindazo.nl/etc/postfix/main.cf
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept
milter_protocol = 2/etc/opendkim.conf
Syslog yes
LogWhy yes
Canonicalization relaxed/simple
Mode sv
SubDomains no
Socket inet:8891@localhost
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
InternalHosts /etc/opendkim/trusted.hosts
ExternalIgnoreList /etc/opendkim/trusted.hosts8. Testing DKIM Externally
Send a message to testing services such as:
test@mail-tester.comor
check-auth@verifier.port25.comIf the configuration is correct, the message headers will contain a DKIM-Signature and the report will confirm:
DKIM = PASSAdditional Note
If your mail logs show errors such as:
smtp_connect_addr: bind 148.251.XX.XX: Cannot assign requested addressThis indicates a separate network configuration issue related to outbound IP binding in Postfix. While it does not directly affect DKIM signing, it should still be corrected to ensure stable mail delivery.
Comments
Post a Comment