The Complete DMARCReport Guide: Configuring DKIM with OpenDKIM on Your Postfix Mail Server
Email authentication is more than just a best practice — it’s essential. As email threats continue to rise, weak authentication leaves your domain vulnerable to spoofing, phishing, and reputation damage. At DMARCReport, we believe every mail server owner should feel empowered to secure their infrastructure. One of the most impactful steps you can take is configuring DKIM (DomainKeys Identified Mail) with OpenDKIM on your Postfix mail server.
This guide walks you through the process step by step — from understanding the fundamentals to verifying your configuration — so you can confidently enhance your email security posture and boost deliverability.
What Is DKIM and Why It Matters
DomainKeys Identified Mail (DKIM) is an email authentication standard that uses public-key cryptography to sign outgoing email. When an email is signed with DKIM, the receiving mail server can verify:
- The email was legitimately sent by an authorized server for your domain.
- The content of the message has not been tampered with in transit.
This verification happens using a public key published in your DNS records. DKIM plays a crucial role inreducing spam flagging and blocking spoofed messages, and it’s a key component of advanced email authentication frameworks like DMARC.
Postfix is one of the most popular mail transfer agents (MTAs) used on Linux servers. Integrating DKIM with Postfix using OpenDKIM adds a strong layer of trust that helps your mail reach inboxes more reliably.
Prerequisites: What You Need Before Starting
Before diving into configuration, ensure you have the following:
- Root access or sudo privileges on your server — necessary for installing and editing system-level packages and files.
- A running Postfix installation.
- A fully qualified domain name (FQDN) pointed to your mail server.
- OpenDKIM installed (we’ll cover this next).
If any of these are missing, address them before moving forward. Once you have the basics in place, you’re ready to begin.
Step 1: Install OpenDKIM and Tools
OpenDKIM is the open-source implementation of DKIM signing and verification. To install it on your server:
sudo yum install opendkim
(If you’re using Debian/Ubuntu, replace yum with apt install opendkim opendkim-tools.)
This command installs both the OpenDKIM service and a set of tools useful for key generation and testing.
Step 2: Configure OpenDKIM
Now that OpenDKIM is installed, it’s time to configure it to sign outgoing mail.
a. Edit OpenDKIM’s Main Configuration
Open the configuration file:
sudo nano /etc/opendkim.conf
Make the following changes:
- Change the mode to signing mode:
Mode sv
Remove the comment symbol (#) from these directives:
- KeyFile
- KeyTable
- SigningTable
- ExternalIgnoreList
- InternalHosts
At the end of the file, add:
Domain yourdomain.com
RequireSafeKeys False
b. Define Your Signing Rules
- Open the signing table:
sudo nano /etc/opendkim/SigningTable
Add a line like:
*@yourdomain.com yourselector._domainkey.yourdomain.com
- This tells OpenDKIM to sign any sender from your domain using the designated selector.
- Save and close the file.
c. Map the DKIM Key to Your Domain
Open the key table:
sudo nano /etc/opendkim/KeyTable
Add:
yourselector._domainkey.yourdomain.com yourdomain.com:yourselector:/etc/opendkim/keys/yourdomain.com/default.private
This maps the selector to your domain and specifies where the private key will later be stored.
d. List Trusted Hosts
Next, define the hosts trusted to send mail:
sudo nano /etc/opendkim/TrustedHosts
Add:
*.yourdomain.com
By default, localhost (127.0.0.1 and ::1) are already included.
These configuration steps tell OpenDKIM what to sign, how to sign it, and who is allowed to send mail through your system.
Step 3: Generate Your DKIM Key Pair
Your next step is to generate a DKIM private/public key pair.
- Create a directory for your keys:
sudo mkdir /etc/opendkim/keys/yourdomain.com
- Generate the keys:
sudo opendkim-genkey -b 2048 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s yourselector -v
- b 2048 generates a secure 2048-bit key (recommended).
- s specifies the selector name.
- Adjust permissions so OpenDKIM can read the key:
sudo chown opendkim:opendkim /etc/opendkim/keys -R
This step creates two key files: one private and one public. The private key stays on your server. The public key will be published in your DNS next.
Step 4: Publish Your DKIM Public Key in DNS
To enable external mail receivers to verify your DKIM signatures, you must publish your public key in a DNS TXT record.
Retrieve the public key:
sudo cat /etc/opendkim/keys/yourdomain.com/default.txt
You’ll see a DNS TXT record block that looks like this:
yourselector._domainkey TXT “v=DKIM1; k=rsa; p=MIIBIjANBgkq…”
Now:
- Log in to your DNS provider.
- Add a new TXT record:
- Name/Host: yourselector._domainkey
- Type: TXT
- Value: The long string after p= (the public key)
Make sure to remove any added quotes or spaces your DNS provider may insert automatically. Once published, it can take a bit for DNS propagation to finish.
Once complete, tools like the DMARCReport DKIM lookup check can verify your public key is correct and live.
Step 5: Connect Postfix to OpenDKIM
With OpenDKIM configured and your keys in place, you now need to tell Postfix to use OpenDKIM to sign outgoing email.
Open the Postfix main configuration file:
sudo nano /etc/postfix/main.cf
Add the following at the end:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
This configures Postfix to send email through OpenDKIM via the milter protocol.
Save your changes.
Step 6: Restart Services and Test
Restart both OpenDKIM and Postfix:
sudo service opendkim restart
sudo service postfix restart
Now send a test email from your server — for instance, to a Gmail or Outlook address — and inspect the message headers. You should see DKIM=pass if everything is configured correctly.
Testing helps confirm both signing and DNS publishing have worked as intended. Tools like DMARCReport’s DKIM and DMARC test utilities can make this even easier.
Troubleshooting Common Issues
Even with careful steps, problems can happen. Here’s how to address some common pitfalls:
- No DKIM Signature in the Header: Ensure OpenDKIM is running and Postfix is using the correct milter socket. Check logs for errors related to port 8891 or misspelled configuration directives.
- DKIM Fails DNS Verification: Ensure your DNS record is correctly formatted and fully propagated. Check for accidental quotes or missing bits in the TXT record.
- Mail Still Marked as Spam: DKIM is just one piece of the puzzle. Check SPF, DMARC policies, content quality, and your sending reputation.
Every mail server setup is unique — but thorough testing and iterative fixes will help you get it right.
Best Practices for DKIM Security
To get the most out of DKIM:
- Use at least 2048-bit keys: Stronger keys provide better protection.
- Rotate keys periodically: Regularly rotating DKIM keys limits the impact of key compromise.
- Monitor your logs and reports: DMARC reports show you when DKIM passes or fails — helping you spot configuration problems early.
- Pair DKIM with SPF and DMARC:
Together, these build a robust authentication framework that protects your domain and improves deliverability.
Final Thoughts
Configuring DKIM with OpenDKIM on Postfix is a powerful step toward securing your email infrastructure. It boosts deliverability, strengthens your domain’s credibility, and helps protect recipients from spoofed mail.
Though the process involves multiple components — from key generation to DNS publishing — following this structured approach from DMARCReport ensures you can tackle it confidently and accurately.
If you ever get stuck, reach out to our support team or use our tools to verify DKIM, SPF, and DMARC records. Email authentication doesn’t have to be intimidating — and with DKIM properly configured, your domain gets a meaningful shield against email threats.
