Setting up DKIM

This is just some quick hints and links for Google to pick over as a result of my work today setting up DKIM signing on our server. Some background: we run a hosted Ubuntu server at Bytemark which acts as a relay for us as well as a list server for a variety of purposes and bulk mailer software for various not-for-profits. We use postfix as our MTA and AMaViS (with SpamAssassin/ClavAV et al for spam/virus filtering) along with fail2ban to reduce the amount of connections from dodgy IP addresses.

As a result we send out quite a lot of email from our IP address of which the majority is bulk email. This means ISPs' mail filters tend to regard us with suspicion. Historically we have countered this by setting up SPF records for the important domains and that helps but lately we've been having reports of Google failing to deliver email or filtering it into people's spam folders. Google recommend DKIM signing as a way to combat this so today I gave it a try.

Initially I followed this howto. It's written for Centos but the only real difference is that the program opendkim-genkey is in a separate package so you need to install opendkim and opendkim-tools.

I think his key directory structure is a bit OTT to be honest: I gave all my key filenames unique names of the form <domain>.pem and stored them all in /etc/opendkim/keys

As Bytemark's DNS uses Tinydns you can't use the .txt straight out of opendkim-genkey. Instead you have to add a TXT record which looks like this:

    'dkim._domainkey.<your_domain>:v=DKIM1;k=rsa;p=<your_public key_here>:301

(I've set a very short TTL, you might want to make it longer.)

I'm running AMaViS I also had to add no_milters to the second -o receive_override_options settings in /etc/postfix/master.cf (if you don't do this it double signs your emails).

You need to edit /etc/defaults/opendkim to add a line like this:

    SOCKET="inet:8891@localhost"

The opendkim readme then pointed me in the direction of how to add SigningTable and KeyTable correctly to /etc/opendkim.conf and also how to handle mailing lists (you need to re-sign mail even if it's previously DKIM signed by the original poster as your list software will have modified the message). It's easy to solve, simple add this to /etc/opendkim.conf

    SenderHeaders Sender,From

Then it signs on Sender too if that matches, and as you've set it to sign for your domain (the-hug.net in our case) the mail is then DKIM signed.

The final part was getting it to DKIM sign for mail originating from here as we relay through our hosted server (and I didn't want to have to set up more than one instance of opendkim). This turned out to be trickier than I thought. This howto pointed me to adding a TrustedHosts file and using that for ExternalIgnoreList and, more importantly, InternalHosts but it didn't work.

It turned out that although both that page and the documentation claim you can list hosts by domain name in the file it doesn't seem to work, instead you have to use dotted quad. So my file now contains 127.0.0.1 and the current IP address of home.the-hug.net and, as that's (vaguely) dynamic IP the script which copes with changes to that IP address now updates the file and then restarts opendkim.

So that's about it. This is a very brief overview and I'm leaving you to do the reading. But at least it points you to documents which worked for me, which should get you there a little faster (it took me most of the day today).