I have been looking at enabling Domain Keys Identified Mail using opendkim and have discovered a lot of very good howto’s just by Googling
But I just thought I would list a configuration mistake I made.
When you create a domain key using the opendkim-genkey command if places the private key in the current directory or the directory you specify with the –directory option.
I chose to create a directory structure under /etc/opendkim/keys/ so the private key for each domain was held in a folder the same name as the domain. (this means you can have multiple default.private files)
So I did:
mkdir /etc/opendkim/keys/example.com opendkim-genkey --selector=mail --domain=example.com --directory=/etc/opendkim/keys/example.com # opendkim options opendkim-genkey: usage: opendkim-genkey [options] --append-domain include domain name in zone file stub --bits=n use n bits to generate the key --directory=path leave output in the named directory --domain=name generate data for the named domain [example.com] --hash-algorithms=list limit to use of the named algorithm(s) --help print help and exit --note=string include specified note in zone data --restrict restrict key to email use only --selector=name selector name [default] --subdomains allow signing of subdomains --testmode indicate key is in test mode --verbose increased output --version print version and exit
This writes a file named mail.private into /etc/opendkim/keys/example.com/ and another named mail.txt which contains the zone record to add to DNS of the email domain you are enabling DKIM for.
My problem started when I kept getting dkim=fail because the signature was wrong
I traced this to an incorrect private key being used to sign the outgoing email. Basically my CentOS version of opendkim creates a default.private key in /etc/opendkim/keys/default.private and if you don’t edit your KeyTable file properly your domain is being signed by the default key instead of the one you generate and place in /etc/opendkim/keys/example.com/mail.private
# incorrect entry picks up # wrong key mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/default.private # correct entry has the correct private key # listed in the /etc/opendkim/KeyTable file mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
After I made the above change and restarted opendkim I then got the correct dkim=pass status at the destination mailbox on mail I sent
I of course didn’t pick this up until I had been around the world a few times. I thought that I had a header being changed down stream of when opendkim was signing the message but no I didn’t.