User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

There are tons of article out there stating different things, being obsolete and handling single domain servers (are there any of those left?) when it comes to DKIM mail signing and verification with amavisd-new and Postfix. So this is what I found out to be true and woring after puzzling together bits and pieces of those articles and howtos.

So basically you really do want DKIM signing on your outgoing emails, mainly because the email giants such as Google, Yahoo etc. are really putting some weight on correctly signed emails to prevent spam. If you don't sign your emails with DKIM you increase the chance of the emails ending up in the recipients spam box. There are standalone libraries for doing DKIM signing, like opendkim, but since this system already has amavisd-new I thought it was unnecessary to bring in yet another package to maintain. 

I've added these lines to /etc/amavis/conf.d/50-user :

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

That will enable both signing outgoingemails and also verifying incoming emails. Next to the magic lines:

dkim_key('', 'scarleo', '/var/db/dkim/scarleo-scarleo.key.pem');

One of those for every domain this server handles. And then for the rest:

@dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
$interface_policy{'10024'} = 'DKIM_ALWAYS';
$policy_bank{'DKIM_ALWAYS'} = { originating => 1, };

 which will ativate DKIM signing for all authenticated outgoing emails. Most guides out there suggests:

@mynetworks = qw(; 

but that really isn't maintainable according to me, since you need to know the IP of the sending computer. Shure, if you only use webmail you are fine with that line but for the more versatile system where users can use their own email clients you don't want to do that.

Now to key generation:

:~# amavisd-new genrsa /var/db/dkim/scarleo-scarleo.key.pem

which will generate your private key. Then run:

:~# amavisd-new showkeys

which will show you the pubblic key, the one that goes in a TXT record on in your DNS. It will be formatted for insertion into a zone file so I washed it from ":s and line breaks, getting everything on a single line, something like this:

v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKsM6dxTR5iuHU/TZDcBZSvkvJY8jAvAAvPmghZncbFzHF51esdffq34rCVcsS/UUVLIqiBNwlTwrW+gUI7CtEr4fOUKsjwue/+/u30dt6jwF2enxVRT5az1KyCkklFMKxPpZC1BmMdvXmzjJMZVUeOeQXsjZWc8wIDAQAB

You can test that the key is verifyable against the public key with:

amavisd-new testkeys [domain.tld]

which should return:

TESTING#1:          => pass

Well, that is basically it. Want to verify that it's working? Have a look at this site: or you could just send an email to your Gmail account and click the little arrow next to "to me", it should say "Signed by" on one of the lines if it's working.