DKIM: Explanation & Insights

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check if the email was actually sent by the domain it appears to be sent from and if the content was tampered with during transit.

DKIM works by adding a digital signature to the headers of an email message. This signature can be validated by the recipient by using the sender's public key, which is published in the DNS records of the sender's domain.

Why is DKIM important?

DKIM contributes to the trustworthiness of email communications. By verifying the domain of the sender and the integrity of the message, DKIM helps to protect against phishing and spam - common security threats in the world of email.

Without DKIM, it would be easier for malicious actors to spoof email addresses and send phishing emails, leading to potential security breaches.

DKIM and Linux Servers

Linux servers, which are often used as mail servers, can be configured to sign outgoing emails with DKIM. This process involves generating a private/public key pair, configuring the mail server to use the private key for signing emails, and publishing the public key in the DNS records of the domain.

Generating DKIM Keys

One of the first steps in setting up DKIM is to generate a private/public key pair. This can be done using the opendkim-genkey command in Linux.

Here's an example:

sudo opendkim-genkey -t -s mail -d

This command generates a key pair for the domain with the selector "mail". The -t option tells opendkim-genkey to generate test keys (not to be used for real emails).

Configuring the Mail Server

Once you have generated your keys, the next step is to configure your mail server to use them. This will depend on the specific mail server software you are using.

For example, if you are using Postfix, you might need to add the following lines to your /etc/postfix/ file:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Here, we are configuring Postfix to use a milter (mail filter) at localhost port 8891, which is where we will run OpenDKIM.

Publishing the Public Key

The final step is to publish the public key in the DNS records of your domain. This is usually done by adding a TXT record with the name being the selector (followed by ._domainkey), and the value being the public key.

Here's an example of what the TXT record might look like:

mail._domainkey  IN  TXT  ( "v=DKIM1; h=sha256; k=rsa; "

Common Problems with DKIM

Setting up DKIM can be tricky and there are several common problems you might encounter. For example, you might have issues with generating the keys, configuring your mail server, or adding the DNS record.

If you're having trouble, make sure to check the documentation for your mail server software and the opendkim-genkey command. Also, keep in mind that DNS changes can take a while to propagate, so if your DKIM isn't working right away, you might just need to wait a bit.


DKIM is an important part of email security, helping to verify the sender of an email and ensure the integrity of the message. Setting it up involves generating a key pair, configuring your mail server, and updating your DNS records. While it can be a bit tricky, the added security is definitely worth the effort.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA