Written by James McDonald

September 1, 2014

I have been looking at enabling Domain Keys Identified Mail using opendkim and have discovered a lot of very good howto’s just by Googling

But I just thought I would list a configuration mistake I made.

When you create a domain key using the opendkim-genkey command if places the private key in the current directory or the directory you specify with the –directory option.

I chose to create a directory structure under /etc/opendkim/keys/ so the private key for each domain was held in a folder the same name as the domain. (this means you can have multiple default.private files)

So I did:

mkdir /etc/opendkim/keys/example.com

opendkim-genkey --selector=mail --domain=example.com --directory=/etc/opendkim/keys/example.com

# opendkim options
opendkim-genkey: usage: opendkim-genkey [options]
        --append-domain        include domain name in zone file stub
        --bits=n               use n bits to generate the key
        --directory=path       leave output in the named directory
        --domain=name          generate data for the named domain [example.com]
        --hash-algorithms=list limit to use of the named algorithm(s)
        --help                 print help and exit
        --note=string          include specified note in zone data
        --restrict             restrict key to email use only
        --selector=name        selector name [default]
        --subdomains           allow signing of subdomains
        --testmode             indicate key is in test mode
        --verbose              increased output
        --version              print version and exit

This writes a file named mail.private into /etc/opendkim/keys/example.com/ and another named mail.txt which contains the zone record to add to DNS of the email domain you are enabling DKIM for.

My problem started when I kept getting dkim=fail because the signature was wrong

I traced this to an incorrect private key being used to sign the outgoing email. Basically my CentOS version of opendkim creates a default.private key in /etc/opendkim/keys/default.private and if you don’t edit your KeyTable file properly your domain is being signed by the default key instead of the one you generate and place in /etc/opendkim/keys/example.com/mail.private

# incorrect entry picks up
# wrong key
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/default.private

# correct entry has the correct private key 
# listed in the /etc/opendkim/KeyTable file
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

After I made the above change and restarted opendkim I then got the correct dkim=pass status at the destination mailbox on mail I sent

I of course didn’t pick this up until I had been around the world a few times. I thought that I had a header being changed down stream of when opendkim was signing the message but no I didn’t.


Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Meraki Open Source Licenses

Until today I assumed that Meraki was built in-house with only closed source software. But having a look at the...


If you have Veeam backup failing with the Updating BCD failed with Cannot update SafeBoot flag and SentinelOne is...