Knowledgebase


Use Code KBALL501M

50% OFF First Month!

on selected monthly services


Using OpenDKIM (Domain Keys)
Posted by on 28 June 2012 08:24 AM

Applicable Plans - All Cloud Hosting Plans

Using OpenDKIM (Domain Keys)

Overview

OpenDKIM is the replacement for the dkim-milter and domainkeys-milter projects, which are no longer under active development. More information about OpenDKIM can be found here - http://www.opendkim.org/

With OpenDKIM, you associate a domain name with an e-mail message. Each e-mail from a domain using OpenDKIM will have a DKIM-Signature in the header, and the receiver will compare that to a public key that is published in the DNS record for the domain. This is used to verify that the e-mail message actually came from the domain where it claims to have originated from. E-mail service providers such as Yahoo! and Gmail all use DKIM signatures for their e-mails.

Using OpenDKIM will not guarantee that your sent mail will not be directed to the recipient's spam or bulk mail folder. However, it will greatly increase the likelihood that it does not.

If your e-mail still triggers the spam or fraud filters at the recipient's ISP or mail provider, then your e-mail will still end up discarded or sent to the Spam/Bulk folder. If this is happening, you will need to work directly with the recipient's ISP or mail provider to find out what is causing your e-mails to be marked as spam. eApps is generally not able to help with this issue.

OpenDKIM and Control Panel Information - Read Before You Start!

Which method you use to install OpenDKIM will depend on which version of ISPmanager you have installed. Please make sure you are working with the correct set of instructions.

How to determine which version of ISPmanager you are using can be found here - ISPmanager versions

NOTE - this user guide assumes that you have already added an e-mail domain and e-mail users to your Virtual Server, and that you are able to send and receive e-mail on the VS with no issues. More information on configuring e-mail can be found here:

Installing and Configuring OpenDKIM on ISPmanager 4
    Installing OpenDKIM on ISPmanager 4
    Configuring OpenDKIM on ISPmanager 4
    Edit Sendmail to recognize OpenDKIM
    Start OpenDKIM and set it to start at system boot

Installing and Configuring OpenDKIM on ISPmanager 5
    Installing OpenDKIM on ISPmanager 5
    Configuring OpenDKIM on ISPmanager 5

OpenDKIM DNS configuration
    OpenDKIM public key file
    Creating the OpenDKIM DNS record

Testing OpenDKIM
    Using an auto-responder
    Testing with Gmail

Using multiple domains with OpenDKIM
    Configuring multiple domains using ISPmanager 4
    Configuring multiple domains using ISPmanager 5


Installing and Configuring OpenDKIM on ISPmanager 4

Installing OpenDKIM on ISPmanager 4

With ISPmanager 4, OpenDKIM is installed from the Control Panel, but the configuration is done from the command line of the Virtual Server.

  • For ISPmanager 4, go to Server Settings > Applications. Install OpenDKIM. More information on installing applications can be found here - Installing Server Applications.

Configuring OpenDKIM on ISPmanager 4

For ISPmanager 4, configuring OpenDKIM is done completely from the command line of the Virtual Server, as the root user. You will need to be able to log in to the VS using SSH, navigate the Linux file system, run commands, and edit files using a text editor (vim is available by default).

If you wish to have OpenDKIM installed, but do not have the command line skills required, please contact eApps Sales to discuss having this done for you as billable work.

To configure OpenDKIM, you will need to create a directory where the private key for the domain will be kept, and then generate the public and private OpenDKIM keys. Once that is done, you will need to edit the OpenDKIM configuration files.

Once you have set up OpenDKIM, you will then need to edit the Sendmail configuration files, so that the mail server knows to use OpenDKIM. Then you will need to restart OpenDKIM and sendmail, and then set OpenDKIM to start at system boot.


When you configure OpenDKIM, you will need to use the domain name that you will be sending e-mail from - the part after the @ in the e-mail address. This user guide uses eapps-example.com as the domain name for OpenDKIM, you will need to substitute your own domain name.

Create the OpenDKIM key directory and OpenDKIM keys

Change directories to /etc/opendkim and make the directory with the mkdir /etc/opendkim/keys/eapps-example.com command. Remember to substitute your domain name for eapps-example.com.

[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example opendkim]# mkdir /etc/opendkim/keys/eapps-example.com

Once you have created the directory for the keys, generate the public and private keys. Use the following command, paying attention to the letter case in the switches: there is both a capital D and a lowercase d, in that order. Also remember to substitute your own domain name for eapps-example.com

The command should be all on one line:

/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/eapps-example.com/ -d eapps-example.com -s default

[root@eapps-example opendkim]# /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/eapps-example.com/ -d eapps-example.com -s default

Now you need to change the owner and group of the newly created directory from root to opendkim, and change the name of the private key to to match what you will be using later in the OpenDKIM configuration file.

Change the owner and group with the chown -R command. The -R switch changes the owner and group recursively, meaning all files and directories under the parent directory will be changed also. Then use the mv command to rename the private key file from default.private to default.

The mv command should be all on one line:

mv /etc/opendkim/keys/eapps-example.com/default.private /etc/opendkim/keys/eapps-example.com/default

[root@eapps-example opendkim]# chown -R opendkim:opendkim /etc/opendkim/keys/eapps-example.com/
[root@eapps-example opendkim]# mv /etc/opendkim/keys/eapps-example.com/default.private /etc/opendkim/keys/eapps-example.com/default

Editing the OpenDKIM configuration files

OpenDKIM has four configuration files that have to be edited:

  1. /etc/opendkim.conf - this is the main configuration file
  2. /etc/opendkim/KeyTable - this lists the keys that are available to sign e-mails
  3. /etc/opendkim/SigningTable - this lists the domains and e-mail accounts allowed to sign e-mails
  4. /etc/opendkim/TrustedHosts - this lists the servers that are trusted for signing or verifying

opendkim.conf

The first file to edit is /etc/opendkim.conf. Before editing the file, make a backup so that you can revert to the default state if needed. After you have copied the file, open it in a text editor.

[root@eapps-example ~]# cd /etc/
[root@eapps-example etc]# cp opendkim.conf{,.bck}
[root@eapps-example etc]# vim opendkim.conf

Edit the file so that it looks like this. The line numbers are shown for illustration purposes only, see below for a list of what lines have to be changed, referenced by line number.

  1 ## BASIC OPENDKIM CONFIGURATION FILE
  2 ## See opendkim.conf(5) or /usr/share/doc/opendkim-2.4.2/opendkim.conf.sample for more
  3
  4 ## BEFORE running OpenDKIM you must:
  5
  6 ## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
  7 ## - generate keys for your domain (if signing)
  8 ## - edit your DNS records to publish your public keys (if signing)
  9
 10 ## See /usr/share/doc/opendkim-2.4.2/INSTALL for detailed instructions.
 11
 12 ## CONFIGURATION OPTIONS
 13
 14 # Specifies the path to the process ID file.
 15 PidFile /var/run/opendkim/opendkim.pid
 16
 17 # Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
 18 Mode    sv
 19
 20 # Log activity to the system log.
 21 Syslog  yes
 22
 23 # Log additional entries indicating successful signing or verification of messages.
 24 SyslogSuccess   yes
 25
 26 # If logging is enabled, include detailed logging about why or why not a message was
 27 # signed or verified. This causes an increase in the amount of log data generated
 28 # for each message, so set this to No (or comment it out) if it gets too noisy.
 29 # LogWhy        yes
 30
 31 # Attempt to become the specified user before starting operations.
 32 UserID  opendkim:opendkim
 33
 34 # Create a socket through which your MTA can communicate.
 35 Socket  inet:8891@localhost
 36
 37 # Required to use local socket with MTAs that access the socket as a non-
 38 # privileged user (e.g. Postfix)
 39 Umask   002
 40
 41 # This specifies a text file in which to store DKIM transaction statistics.
 42 #Statistics     /var/spool/opendkim/stats.dat
 43
 44 ## SIGNING OPTIONS
 45
 46 # Selects the canonicalization method(s) to be used when signing messages.
 47 Canonicalization        relaxed/simple
 48
 49 # Domain(s) whose mail should be signed by this filter. Mail from other domains will
 50 # be verified rather than being signed. Uncomment and use your domain name.
 51 # This parameter is not required if a SigningTable is in use.
 52 #Domain example.com
 53
 54 # Defines the name of the selector to be used when signing messages.
 55 Selector        default
 56
 57 # Gives the location of a private key to be used for signing ALL messages.
 58 # KeyFile       /etc/opendkim/keys/default.private
 59
 60 # Gives the location of a file mapping key names to signing keys. In simple terms,
 61 # this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
 62 # setting in the configuration file.
 63 KeyTable        refile:/etc/opendkim/KeyTable
 64
 65 # Defines a table used to select one or more signatures to apply to a message based
 66 # on the address found in the From: header field. In simple terms, this tells
 67 # OpenDKIM how to use your keys. 
 68 SigningTable    refile:/etc/opendkim/SigningTable
 69
 70 # Identifies a set of "external" hosts that may send mail through the server as one
 71 # of the signing domains without credentials as such.
 72 ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
 73
 74 # Identifies a set internal hosts whose mail should be signed rather than verified.
 75 InternalHosts   refile:/etc/opendkim/TrustedHosts

In the file you will need to change the following lines:

Line 18 - change from v to sv
Line 29 - comment this line out. If you need additional log output for troubleshooting, you can uncomment it again.
Line 58 - comment this line out
Line 63 - uncomment this line, add the refile: keyword
Line 68 - uncomment this line, add the refile: keyword
Line 72 - uncomment this line
Line 75 - uncomment this line

Once you have made your changes, save and exit the file.

KeyTable

The next file to edit is the KeyTable, located at /etc/opendkim/KeyTable. The KeyTable tells OpenDKIM where to find the keys for the e-mail domain you are going to be signing messages for.

Change directories to /etc/opendkim, and then open the KeyTable file in a text editor.

[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example opendkim]# vim KeyTable

In the KeyTable file, copy the existing line, and then uncomment that new line. You will need to substitute your domain name for example.com in two locations, add the directory for your keys, and change default.private to default. The line below shows what needs to be done, using the eapps-example.com domain.

default._domainkey.eapps-example.com eapps-example.com:default:/etc/opendkim/keys/eapps-example.com/default

Remember that this has to be on one line. If this is split into two lines, OpenDKIM will not work.

(the text size has been reduced so that the example stays on one line - this is very important)

# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.eapps-example.com eapps-example.com:default:/etc/opendkim/keys/eapps-example.com/default

Once you have made your changes, save and exit the file.

SigningTable

The SigningTable tells OpenDKIM which users can sign their e-mails with the key. You can use a wildcard to allow all users from a specific domain to sign, or you can specify individual users.

The SigningTable is in the same directory as the KeyTable (/etc/opendkim). Open the file in a text editor (this example uses vim, nano is also available).

To allow all users from a specific domain to be able to use OpenDKIM to sign their e-mails, copy line 5, uncomment your new line, and substitute your domain for example.com.

#*@example.com default..example.com
*@eapps-example.com default..eapps-example.com

To allow only a specific user from a domain to sign their e-mails, copy the default wildcard line (line 5), uncomment your new line, and change it to look like this:

#*@example.com default._domainkey.example.com
user@eapps-example.com default._domainkey.eapps-example.com

You have two choices - either everyone who sends e-mail from the domain will have their e-mails signed, or only specific users will. If everyone will have their e-mails signed, then use the first example, otherwise use the second example, and list each user in the file, one user per line.

Once you have made your changes, save and exit the file.

TrustedHosts

The TrustedHosts table tells OpenDKIM which hosts can use the keys. The hosts in this file will be ignored when verifying incoming e-mail, but the outgoing e-mail for these hosts will be signed (as per the configuration of the SigningTable).

Enter each host, one per line. You can use the IP address, the hostname, an IPv4 address with CIDR, an IPv6 address, or any combination of those values. Generally, you will want to use the correct DNS name for each host that is being signed.

The TrustedHosts file is in the same directory as the KeyTable and the SigningTable (/etc/opendkim).

This example uses the domain of eapps-example.com, and also the hostname of the Virtual Server itself, which is example.eapps-example.com, as well as the IP address for the Virtual Server. Please substitute your domain name accordingly.

The line for 127.0.0.1 MUST BE THE FIRST UNCOMMENTED LINE IN THE FILE. Otherwise, no outgoing e-mail from the VS will be signed.

# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
eapps-example.com
example.eapps-example.com
68.169.60.79

Once you have made your changes, save and exit the file.

Edit Sendmail to recognize OpenDKIM

The Sendmail mail server that is used by the Virtual Server has to be told to use OpenDKIM. To do this, you will need to edit the sendmail.mc macro file, and then use that to rebuild the sendmail.cf configuration file.

Change directories to /etc/mail, and make a backup of the existing Sendmail configuration files first, so that you can put them back in place if needed. Do not skip this step - make backups of the files before continuing.

[root@eapps-example ~]# cd /etc/mail
[root@eapps-example mail]# cp sendmail.mc{,.orig}
[root@eapps-example mail]# cp sendmail.cf{,.orig}

Open the sendmail.mc file in a text editor.

Do not, under any circumstances, edit the sendmail.cf file directly. Only edit the sendmail.mc file, which will be used to rebuild the sendmail.cf file.

In the sendmail.mc file, add this line to the very bottom of the file, so that it is the last line:

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

Note the location of the backticks and single quotes in the line.

When you edit the sendmail.mc file, go to the end of the file, and add the opendkim line.

~
~
~
define(`confCACERT_PATH', `/etc/mail/ssl/certs/CA')dnl
FEATURE(`delay_checks')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
INPUT_MAIL_FILTER(`spfmilter', `S=unix:/var/run/spfmilter/spfmilter.sock, T=S:8m;R:8m')dnl
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

Once you have added the line, save and exit the file.

Rebuild and restart sendmail

After editing sendmail.mc, you will need to rebuild the sendmail configuration file (sendmail.cf), and restart sendmail.

To rebuild sendmail.cf, use the following command:

m4 sendmail.mc > sendmail.cf

This calls the m4 macro language processor, and uses the values in sendmail.mc to rewrite the configuration of sendmail.cf.

After rebuilding the sendmail configuration, you will need to restart sendmail.

For CentOS 6, use the service sendmail restart command:

[root@eapps-example mail]# m4 sendmail.mc > sendmail.cf
[root@eapps-example mail]# service sendmail restart

If you get an error restarting sendmail, pay close attention to the error message, which will often (but not always) tell you what is causing the error. Put the copies of the original sendmail.mc and sendmail.cf files back into place, and restart sendmail again so you can go back and edit the file. If you need further assistance, contact eApps Support.

Start OpenDKIM and set it to start at system boot

Once all the OpenDKIM configuration is done, change directories back to /etc/opendkim, and start the service. Once it is started, you will need to set it to start at system boot.

For CentOS 6, use the service opendkim start command and the chkconfig opendkim on commands:

[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example ~]# service opendkim start
[root@eapps-example ~]# chkconfig opendkim on

The first time you start OpenDKIM, you should see messages about generating default keys for the domain, and then the message that the service started successfully. The default keys that are generated are not the keys that will be used by OpenDKIM, the keys that you generate manually will be the ones that are used.

At this point, the OpenDKIM configuration on the Virtual Server is complete. The next step is to add the DNS record that will be used as the public key for your domain, and then to test that OpenDKIM is working - OpenDKIM DNS configuration


Installing and Configuring OpenDKIM on ISPmanager 5

Installing OpenDKIM on ISPmanager 5

With ISPmanager 5, OpenDKIM is installed and configured from the Control Panel. No configuration from the command line is necessary.

  • For ISPmanager 5, go to Settings > Features. In ISPmanager 5, OpenDKIM is installed by clicking on Mail server (SMTP/POP3/IMAP) and then clicking on Edit in the upper left corner. Click the check box for OpenDKIM (exim) and then on Apply Changes.

    More information on installing applications can be found here - Installing Features.

Configuring OpenDKIM on ISPmanager 5

OpenDKIM is configured on a per-domain basis. To set up a domain to use OpenDKIM, go to Domains > Mail domains, and click on the domain where you want to configure OpenDKIM. Then click on Edit in the upper left corner. On the Mail domain - domain.tld screen, click the check box for Enable DKIM for this domain, and then click OK. Do this for every domain where you want to use OpenDKIM.

At this point, the OpenDKIM configuration on the Virtual Server is complete. The next step is to add the DNS record that will be used as the public key for your domain, and then to test that OpenDKIM is working - OpenDKIM DNS configuration


OpenDKIM DNS configuration

The DNS configuration for OpenDKIM is the same for both ISPmanager 4 or ISPmanager 5. The only difference is the location of the public key file.

The OpenDKIM configuration generates two keys - a private key that is used to sign your e-mails with the DKIM-Signature, and a public key that you publish to your DNS which is used by the recipient to verify that the e-mails purporting to come from your domain actually do come from your domain.

This step is mandatory for using OpenDKIM, which relies on both the private key and the public key to work. If you do not publish your public key to your domain's DNS record, OpenDKIM will not be used for your domain.

OpenDKIM public key file

The location of the OpenDKIM public key file will depend on which version of ISPmanager you have installed.

  • ISPmanager 4 - the public key file is located here: /etc/opendkim/keys/domain.tld/default.txt (substitute your domain name for domain.tld). Make sure to use the default.txt file, and not the default file, which is your private key and should never be published.

  • ISPmanager 5 - the public key file is located here: /etc/exim/ssl/domain.tld.txt (substitute your domain name for domain.tld). Make sure to use the domain.tld.txt, and not the domain.tld.private file, which is your private key and should never be published.

The public key file looks similar to this (this example has been split on several lines to accommodate the screen size).

default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrNOJJMnmYlN5uHjMech9FL2CRTM7yA2BPpB88qTN33t Mi0Li4XRN6a79oQSNqMJBXbPXlEa8SF5T1NTeAuSE5RO+FNF4d7Ji/LOYzRugUGEAney20OmzwNe469UGYmi CnJTg6W5ouBzyqTWYw2EzuLwV2Ivngw/v91aPLdXYg7QIDAQAB" ; ----- DKIM default for domain.tld

Creating the OpenDKIM DNS record

You will need to create a DNS TXT record for your public key. These instructions show how to create this using the DNS Manager in the Customer Portal; if you use a different DNS provider for your domain, you may need to contact their support if you need assistance setting up a DNS TXT record there.

If you need more information on the DNS Manager in the Customer Portal, please see the DNS Manager User Guide - http://support.eapps.com/portal/dns

Once you are logged in to the Customer Portal, click on DNS Manager. Find the domain where you need to add the TXT record (in this example, the eapps-example.com domain), and click on the pencil icon to the right.

DNS - edit domain


This will show all the DNS records for the domain. To add the new TXT record, click on Add New Record.

DNS - all records


This opens the Manage Record for: screen.

DNS - Manage Record for:

You will need to add these values:

  • Name - for the Name, enter default._domainkey

  • Type - for the Type, choose TXT from the drop down list

  • TTL - leave this blank, it will automatically be set to 600 (seconds)

  • Priority - leave this blank, TXT records have no priority

  • Value - the Value is the actual public key record. This is taken from the default.txt or the domain.tld.txt file, and is everything between the double-quotation marks, including the quotation marks themselves. The Value must be entered all on one line.

The Value is the most important part of the DNS record, because this is the public key that the recipient's mail server will be comparing against the DKIM-Signature to verify that the e-mail is actually from your domain.

From the public key file, the text you will put in the Value field will look similar to this:

"v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrNOJJMnmYlN5uHjMech9FL2CRTM7yA2BPpB88qTN33 tMi0Li4XRN6a79oQSNqMJBXbPXlEa8SF5T1NTeAuSE5RO+FNF4d7Ji/LOYzRugUGEAney20OmzwNe4 69UGYmiCnJTg6W5ouBzyqTWYw2EzuLwV2Ivngw/v91aPLdXYg7QIDAQAB"

Warning Make sure the Value is entered all on one line. The best practice is to copy the text from the public key file, and then paste that into a text editor where the width has been expanded so that everything is on one line, and then copy that and paste it into the DNS Manager. If you copy and paste directly from the public key file, it will be on several lines, and will not work.

When you enter in the information for the new DNS record, it will look like this.

DNS - Save Record

Click on Save Record. This will add the DNS record, and take you back to the main screen where you can edit the domain.


You will see the new DNS record at the bottom of the screen. The Value will show on two lines, but make sure that what you entered was on one line.

DNS - TXT record

(Part of the record was trimmed out in order to fit on the screen)

If you don't see the double quotes at the end of the entry, then the DNS Manager interpreted what you entered as being on multiple lines. You will need to edit that record, delete the text in the Value field, and re-add it.

Like all DNS records, it may take between 24 to 48 hours for it to fully propagate across the Internet, but generally it should be available fairly quickly - usually in one to two hours.


Testing OpenDKIM

After you have set up OpenDKIM and added the DNS record for the public key, you can test to make sure that your e-mails are being signed and that the recipients who are using DKIM see the record correctly.

Note Remember that it may take several hours for the DNS record with the public key to propagate successfully. If your first tests are unsuccessful, wait a few hours and try again. If you are still experiencing failures after 24 hours, recheck your configuration. If you need more assistance, please contact eApps Support.

Using an auto-responder

There are several auto-responders that you can send a signed e-mail to, and they will send back an auto-reply that will tell you if your OpenDKIM configuration is working. If you have a Gmail address, you can also send a signed e-mail to that address as a test.

From the domain or user that you have set up to use OpenDKIM, send an e-mail to one or both of these addresses:

autorespond+dkim@dk.elandsys.com
sa-test@sendmail.net

The e-mail does not need to have a subject or body, you can send a blank e-mail.

After a few minutes (possibly only a few seconds) you will receive an auto-reply. If you look at the body of the auto-reply, you will see whether or not your OpenDKIM configuration is working correctly.

For the autorespond+dkim@dk.elandsys.com address, you are looking for this in the reply:

DKIM Signature validation: pass

If there is a problem with the OpenDKIM configuration, you will see a message similar to this:

DKIM Signature validation: permerror (key not found)


For the sa-test@sendmail.net address, you are looking for this in the reply:

Authentication System:     DomainKeys Identified Mail (DKIM)
 Result:                   DKIM signature confirmed GOOD
 Description:              Signature verified, message arrived intact

If there is a problem with the OpenDKIM configuration, you will see a message similar to this:

Authentication System:     DomainKeys Identified Mail (DKIM)
 Result:                   DKIM signature confirmed BAD
 Description:              Unrecoverable error during processing; signature data cannot be verified

If you get an error from the auto-responder, wait for about half an hour and try again. The DNS record may not have propagated to the location of the auto-responder yet. For example, during eApps OpenDKIM testing, the autorespond+dkim@dk.elandsys.com address returned a successful result about 20 minutes before the sa-test@sendmail.net address did.

If you are still getting errors 24 hours after creating the DNS record, recheck your configuration or contact eApps Support for assistance.

Testing with Gmail

If you have a Gmail address, you can test OpenDKIM by sending an e-mail to that address. Once the e-mail arrives, click on the down arrow next to the to me under the sender's name. This opens the Show details screen.

Gmail - Show Details down arrow


If OpenDKIM is working correctly, you will see a line that says signed-by:

Gmail - signed-by


Again, if you do not see a successful reply right away, wait about half an hour and try again. If you are still getting errors 24 hours after creating the DNS record, recheck your configuration or contact eApps Support for assistance.


Using multiple domains with OpenDKIM

If you are sending mail on your Virtual Server from multiple domains, you can configure OpenDKIM on each domain.

NOTE - how to configure OpenDKIM for multiple domains will depend on which version of ISPmanager you have installed. Please make sure you are working with the correct set of instructions.

NOTE - this section of the user guide assumes that you have already configured OpenDKIM on one domain, and are able to successfully send signed e-mails.

Once you have completed the configuration, you will need to add the correct DNS records and then test OpenDKIM.

Configuring multiple domains using ISPmanager 4

If you send e-mails from multiple domains from your Virtual Server, you can set up OpenDKIM so that it will sign the e-mails for those domains. To do this, you will need to generate a public and private key for each domain, and configure the KeyTable, SigningTable, and TrustedHosts files so that OpenDKIM is aware of the domains.

The previous examples in this user guide used the domain of eapps-example.com. These examples will be adding the domain of example-domain.vm-host.net to the existing OpenDKIM configuration. Make sure that you are substituting your own domain names for eapps-example.com and example-domain.vm-host.net. While this example shows adding one additional domain, the steps for adding any number of additional domains are the same.

OpenDKIM configuration for multiple domains

Remember, this user guide assumes that you have already set up and configured OpenDKIM for one domain name. Once OpenDKIM is set up and working for one domain, you will not have to make any changes to the /etc/opendkim.conf file for it to work for multiple domains.

Create the keys directory and generate the keys

Every additional domain you want to add to OpenDKIM will need its own keys in the /etc/opendkim/keys directory. You will need to create a directory for the keys, and then generate the keys.

Change directories to /etc/opendkim and make the directory with the mkdir /etc/opendkim/keys/example-domain.vm-host.net command. Remember to substitute your domain name for example-domain.vm-host.net.

[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example opendkim]# mkdir /etc/opendkim/keys/example-domain.vm-host.net

Once you have created the directory for the keys, generate the public and private keys. Use the following command, paying attention to the letter case in the switches: there is both a capital D and a lowercase d. Also remember to substitute your own domain name for example-domain.vm-host.net.

The command should be all on one line:

/usr/bin/opendkim-genkey -D /etc/opendkim/keys/example-domain.vm-host.net/ -d example-domain.vm-host.net -s default

[root@eapps-example opendkim]# /usr/bin/opendkim-genkey -D /etc/opendkim/keys/example-domain.vm-host.net/ -d example-domain.vm-host.net -s default

Now you need to change the owner and group of the newly created directory from root to opendkim, and change the name of the private key to to match what is in the OpenDKIM configuration file.

Change the owner and group with the chown -R command. The -R switch changes the owner and group recursively, meaning all files and directories under the parent directory will be changed also. Then use the mv command to rename the private key file from default.private to default.

The mv command should be all on one line:

mv /etc/opendkim/keys/example-domain.vm-host.net/default.private /etc/opendkim/keys/example-domain.vm-host.net/default

[root@eapps-example ~]# chown -R opendkim:opendkim /etc/opendkim/keys/example-domain.vm-host.net/
[root@eapps-example ~]# mv /etc/opendkim/keys/example-domain.vm-host.net/default.private /etc/opendkim/keys/example-domain.vm-host.net/default

KeyTable

Now you will need to edit the KeyTable file, which already has a line for the eapps-example.com domain. Copy that line, and then substitute the new domain name in two locations, add the directory for your keys, and change default.private to default. The line below shows what needs to be done, using the example-domain.vm-host.net domain.

default._domainkey.example-domain.vm-host.net example-domain.vm-host.net:default:/etc/opendkim/keys/example-domain.vm-host.net/default

Remember that this has to be on one line. If this is split into two lines, OpenDKIM will not work.

(the text size has been reduced so that the example stays on one line - this is very important)

# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.eapps-example.com eapps-example.com:default:/etc/opendkim/keys/eapps-example.com/default
default._domainkey.example-domain.vm-host.net example-domain.vm-host.net:default:/etc/opendkim/keys/example-domain.vm-host.net/default

Once you have made your changes, save and exit the file.

SigningTable

The SigningTable will already have an existing line for the eapps-example.com domain, allowing all users from the domain to sign their e-mails by using a wildcard. To allow all users from the example-domain.vm-host.net domain to sign their e-mails, copy that line, and substitute the new domain name where needed.

#*@example.com default._domainkey.example.com
*@eapps-example.com default._domainkey.eapps-example.com
*@example-domain.vm-host.net default._domainkey.example-domain.vm-host.net

To allow only a specific user from a domain to sign their e-mails, copy the default wildcard line (line 5), uncomment your new line, and change it to look like this:

#*@example.com default._domainkey.example.com
user@eapps-example.com default._domainkey.eapps-example.com
user@example-domain.vm-host.net default._domainkey.example-domain.vm-host.net

You have two choices - either everyone who sends e-mail from the domain will have their e-mails signed, or only specific users will. If everyone will have their e-mails signed, then use the first example, otherwise use the second example, and list each user in the file, one user per line.

This can vary by domain, though. You can allow all users from one domain to sign their e-mails, but only allow specific users from another domain to sign their e-mails.

Once you have made your changes, save and exit the file.

TrustedHosts

The TrustedHosts file will already have an entry for 127.0.0.1 (localhost) and the eapps-example.com domain. Add the new domain to the file, making sure it is on a line by itself.

# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
eapps-example.com
example-domain.vm-host.net
68.169.60.79

Once you have made your changes, save and exit the file.

Restarting OpenDKIM

Once you have added the new key directory, generated the keys for any additional domains, and configured the KeyTable, SigningTable, and TrustedHosts for the additional domains, you will need to restart OpenDKIM.

For CentOS 6, use the service opendkim restart command:

[root@eapps-example opendkim]# service opendkim restart

Configuring multiple domains using ISPmanager 5

All the configuration for using multiple domains with ISPmanager 5 is done directly from the Control Panel. To set up multiple domains to use OpenDKIM, go to Domains > Mail domains, and click on the domain where you want to configure OpenDKIM. Then click on Edit in the upper left corner. On the Mail domain - domain.tld screen, click the check box for Enable DKIM for this domain, and then click OK. Do this for every domain where you want to use OpenDKIM.

DNS configuration

You will need to add the public key for your new domain to DNS so that OpenDKIM will work. Full instructions are given in the OpenDKIM DNS configuration section of this user guide. Make sure that you add the public key correctly.

This step is mandatory for using OpenDKIM, which relies on both the private key and the public key to work. If you do not publish your public key to your domain's DNS record, OpenDKIM will not be used for your domain.

Remember that it may take several hours for your DNS record to fully propagate.

Testing OpenDKIM

Once the DNS record is in place, you can start to test OpenDKIM. Instructions on how to test OpenDKIM are in the Testing OpenDKIM section of this user guide. Remember that your original tests may fail if the DNS has not had time to fully propagate.


(2 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).