The Complete DMARCReport Guide: Configuring DKIM with OpenDKIM on Your Postfix Mail Server

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. Email authentication is more than just a best practice - it’s essential._ As email threats continue to rise, weak authentication leaves your domain vulnerable to spoofing, phishing, and reputation damage_. At DMARCReport, we believe every mail server owner should feel empowered to secure their infrastructure. One of the most impactful steps you can take is configuring DKIM (DomainKeys Identified Mail) with OpenDKIM on your Postfix mail server.

DMARC reporting without automation is like watching security cameras without recording, says Brad Slavin, General Manager of DuoCircle. You see the threats in real time but you can’t go back and investigate. DMARC Report captures and classifies every aggregate and forensic report so your security team has a complete audit trail.

This guide walks you through the process step by step - from understanding the fundamentals to verifying your configuration

• so you can confidently enhance your email security posture and boost deliverability.

What Is DKIM and Why It Matters

DomainKeys Identified Mail (DKIM) is an email authentication standard that uses **public-key cryptography to sign outgoing email. When an email is signed with DKIM, the receiving mail server can verify:

• The email was legitimately sent by an authorized server for your domain.

• The content of the message has not been tampered with in transit.

This verification happens using a public key published in your DNS records. DKIM plays a crucial role in**reducing spam flagging and blocking spoofed messages, and it’s a key component of advanced email authentication frameworks like DMARC.

Postfix is one of the most popular mail transfer agents (MTAs) used on Linux servers. Integrating DKIM with Postfix using OpenDKIM adds a strong layer of trust that helps your mail reach inboxes more reliably.

Prerequisites: What You Need Before Starting

Before diving into configuration, ensure you have the following:

• **Root access or sudo privileges on your server - necessary for installing and editing system-level packages and files.

• A **running Postfix installation. - A fully qualified domain name (FQDN) pointed to your mail server.

• OpenDKIM installed (we’ll cover this next).

If any of these are missing, address them before moving forward. Once you have the basics in place, you’re ready to begin.

Step 1: Install OpenDKIM and Tools

OpenDKIM is the **open-source implementation of DKIM signing and verification. To install it on your server:

sudo yum install opendkim

_(If you’re using Debian/Ubuntu, replace __yum with _apt install opendkim opendkim-tools.) This command installs both the OpenDKIM service and a set of tools useful for key generation and testing .

Step 2: Configure OpenDKIM

Now that OpenDKIM is installed, it’s time to configure it to sign outgoing mail.

a. Edit OpenDKIM’s Main Configuration

Open the configuration file:

sudo nano /etc/opendkim.conf

Make the following changes:

• Change the mode to signing mode:

Mode sv

Remove the comment symbol (#) from these directives:

• KeyFile

• KeyTable

• SigningTable

• ExternalIgnoreList

• InternalHosts

At the end of the file, add:

Domain yourdomain.com

RequireSafeKeys False

b. Define Your Signing Rules

• Open the signing table:

sudo nano /etc/opendkim/SigningTable

Add a line like:

*@yourdomain.com yourselector.domainkey.yourdomain.com

• This tells OpenDKIM to sign any sender from your domain using the designated selector.

• Save and close the file.

c. Map the DKIM Key to Your Domain

Open the key table:

sudo nano /etc/opendkim/KeyTable

Add:

yourselector.domainkey.yourdomain.com yourdomain.com:yourselector:/etc/opendkim/keys/yourdomain.com/default.private

This maps the selector to your domain and specifies where the private key will later be stored.

d. List Trusted Hosts

Next, define the hosts trusted to send mail:

sudo nano /etc/opendkim/TrustedHosts

Add:

*.yourdomain.com

By default, localhost (127.0.0.1 and ::1) are already included.

These configuration steps tell OpenDKIM what to sign, how to sign it, and who is allowed to send mail through your system.

Step 3: Generate Your DKIM Key Pair

Your next step is to generate a DKIM private/public key pair .

• Create a directory for your keys:

sudo mkdir /etc/opendkim/keys/yourdomain.com

• Generate the keys:

sudo opendkim-genkey -b 2048 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s yourselector -v

• b 2048 generates a secure 2048-bit key (recommended).

• s specifies the selector name.

• Adjust permissions so OpenDKIM can read the key:

sudo chown opendkim:opendkim /etc/opendkim/keys -R

This step creates two key files: one private and one public. The private key stays on your server. The public key will be published in your DNS next. 

Step 4: Publish Your DKIM Public Key in DNS

To enable external mail receivers to verify your DKIM signatures, you must publish your public key in a DNS TXT record.

Retrieve the public key:

sudo cat /etc/opendkim/keys/yourdomain.com/default.txt

You’ll see a DNS TXT record block that looks like this:

yourselector.domainkey TXT “v=DKIM1; k=rsa; p=MIIBIjANBgkq…”

Now:

• Log in to your DNS provider.

• Add a new TXT record:

**Name/Host:** yourselector.domainkey

• Type: TXT

• Value: The long string after p= (the public key)

Make sure to remove any **added quotes or spaces your DNS provider may insert automatically. Once published, it can take a bit for DNS propagation to finish.

Once complete, tools like the DMARCReport DKIM lookup check can verify your public key is correct and live.

Step 5: Connect Postfix to OpenDKIM

With OpenDKIM configured and your keys in place, you now need to tell Postfix to use OpenDKIM to sign outgoing email.

Open the Postfix main configuration file:

sudo nano /etc/postfix/main.cf

Add the following at the end:

smtpdmilters = inet:127.0.0.1:8891

non_smtpd_milters = $smtpdmilters

milter_default_action = accept

This configures Postfix to send email through OpenDKIM via the milter protocol.

Save your changes.

Step 6: Restart Services and Test

Restart both OpenDKIM and Postfix:

sudo service opendkim restart

sudo service postfix restart

_Now send a test email from your server - for instance, to a Gmail or Outlook address - and inspect the message headers. You should see _DKIM=pass if everything is configured correctly. Testing helps confirm **both signing and DNS publishing have worked as intended. Tools like DMARCReport’s DKIM and DMARC test utilities can make this even easier.

How Do You Troubleshoot Common Issues?

Even with careful steps, problems can happen. Here’s how to address some common pitfalls:

• **No DKIM Signature in the Header: **Ensure OpenDKIM is running and Postfix is using the correct milter socket. Check logs for errors related to port 8891 or misspelled configuration directives.

• **DKIM Fails DNS Verification: **Ensure your DNS record is correctly formatted and fully propagated. Check for accidental quotes or missing bits in the TXT record.

• **Mail Still Marked as Spam: **DKIM is just one piece of the puzzle. Check SPF, DMARC policies, content quality, and your sending reputation.

Every mail server setup is unique - but thorough testing and iterative fixes will help you get it right.

What Are Best Practices for DKIM Security?

To get the most out of DKIM:

• **Use at least 2048-bit keys: **Stronger keys provide better protection.

• **Rotate keys periodically: **Regularly rotating DKIM keys limits the impact of key compromise.

• **Monitor your logs and reports: **DMARC reports show you when DKIM passes or fails - helping you spot configuration problems early.

• **Pair DKIM with SPF and DMARC: **Together, these build a robust authentication framework that protects your domain and improves deliverability .

Final Thoughts

Configuring DKIM with OpenDKIM on Postfix is a powerful step toward securing your email infrastructure. It boosts deliverability, strengthens your domain’s credibility, and helps protect recipients from spoofed mail. Though the process involves multiple components - from key generation to DNS publishing - following this structured approach from DMARCReport ensures you can tackle it confidently and accurately.

If you ever get stuck, reach out to our support team or use our tools to verify DKIM, SPF, and DMARC records. Email authentication doesn’t have to be intimidating - and with DKIM properly configured, your domain gets a meaningful shield against email threats.