Using OpenDKIM (Domain Keys)
- 28/06/2012 8:24 AM
Applicable Plans - All Cloud Hosting Plans
Using OpenDKIM (Domain Keys)
Overview
OpenDKIM is the replacement for the dkim-milter and domainkeys-milter projects, which are no longer under active development. More information about OpenDKIM can be found here - http://www.opendkim.org/
With OpenDKIM, you associate a domain name with an e-mail message. Each e-mail from a domain using OpenDKIM will have a DKIM-Signature in the header, and the receiver will compare that to a public key that is published in the DNS record for the domain. This is used to verify that the e-mail message actually came from the domain where it claims to have originated from. E-mail service providers such as Yahoo! and Gmail all use DKIM signatures for their e-mails.
Using OpenDKIM will not guarantee that your sent mail will not be directed to the recipient's spam or bulk mail folder. However, it will greatly increase the likelihood that it does not.
If your e-mail still triggers the spam or fraud filters at the recipient's ISP or mail provider, then your e-mail will still end up discarded or sent to the Spam/Bulk folder. If this is happening, you will need to work directly with the recipient's ISP or mail provider to find out what is causing your e-mails to be marked as spam. eApps is generally not able to help with this issue.
OpenDKIM and Control Panel Information - Read Before You Start!
Which method you use to install OpenDKIM will depend on which version of ISPmanager you have installed. Please make sure you are working with the correct set of instructions.
-
ISPmanager 4 - OpenDKIM is installed from the Control Panel, but all configuration is done from the command line of the Virtual Server. Please see Installing and Configuring OpenDKIM on ISPmanager 4 for more information.
-
ISPmanager 5 - OpenDKIM is installed and configured from ISPmanager. Please see Installing and Configuring OpenDKIM on ISPmanager 5 for more information.
How to determine which version of ISPmanager you are using can be found here - ISPmanager versions
NOTE - this user guide assumes that you have already added an e-mail domain and e-mail users to your Virtual Server, and that you are able to send and receive e-mail on the VS with no issues. More information on configuring e-mail can be found here:
- ISPmanager 4 - Managing E-mail in ISPmanager 4
- ISPmanager 5 - Managing E-mail in ISPmanager 5
Installing and Configuring OpenDKIM on ISPmanager 4
Installing OpenDKIM on ISPmanager 4
Configuring OpenDKIM on ISPmanager 4
Edit Sendmail to recognize OpenDKIM
Start OpenDKIM and set it to start at system boot
Installing and Configuring OpenDKIM on ISPmanager 5
Installing OpenDKIM on ISPmanager 5
Configuring OpenDKIM on ISPmanager 5
OpenDKIM DNS configuration
OpenDKIM public key file
Creating the OpenDKIM DNS record
Testing OpenDKIM
Using an auto-responder
Testing with Gmail
Using multiple domains with OpenDKIM
Configuring multiple domains using ISPmanager 4
Configuring multiple domains using ISPmanager 5
Installing and Configuring OpenDKIM on ISPmanager 4
Installing OpenDKIM on ISPmanager 4
With ISPmanager 4, OpenDKIM is installed from the Control Panel, but the configuration is done from the command line of the Virtual Server.
- For ISPmanager 4, go to Server Settings > Applications. Install OpenDKIM. More information on installing applications can be found here - Installing Server Applications.
Configuring OpenDKIM on ISPmanager 4
For ISPmanager 4, configuring OpenDKIM is done completely from the command line of the Virtual Server, as the root user. You will need to be able to log in to the VS using SSH, navigate the Linux file system, run commands, and edit files using a text editor (vim is available by default).
If you wish to have OpenDKIM installed, but do not have the command line skills required, please contact eApps Sales to discuss having this done for you as billable work.
To configure OpenDKIM, you will need to create a directory where the private key for the domain will be kept, and then generate the public and private OpenDKIM keys. Once that is done, you will need to edit the OpenDKIM configuration files.
Once you have set up OpenDKIM, you will then need to edit the Sendmail configuration files, so that the mail server knows to use OpenDKIM. Then you will need to restart OpenDKIM and sendmail, and then set OpenDKIM to start at system boot.
When you configure OpenDKIM, you will need to use the domain name that you will be sending e-mail from - the part after the @ in the e-mail address. This user guide uses eapps-example.com as the domain name for OpenDKIM, you will need to substitute your own domain name.
Create the OpenDKIM key directory and OpenDKIM keys
Change directories to /etc/opendkim and make the directory with the mkdir /etc/opendkim/keys/eapps-example.com command. Remember to substitute your domain name for eapps-example.com.
[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example opendkim]# mkdir /etc/opendkim/keys/eapps-example.com
Once you have created the directory for the keys, generate the public and private keys. Use the following command, paying attention to the letter case in the switches: there is both a capital D and a lowercase d, in that order. Also remember to substitute your own domain name for eapps-example.com
The command should be all on one line:
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/eapps-example.com/ -d eapps-example.com -s default
[root@eapps-example opendkim]# /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/eapps-example.com/ -d eapps-example.com -s default
Now you need to change the owner and group of the newly created directory from root to opendkim, and change the name of the private key to to match what you will be using later in the OpenDKIM configuration file.
Change the owner and group with the chown -R command. The -R switch changes the owner and group recursively, meaning all files and directories under the parent directory will be changed also. Then use the mv command to rename the private key file from default.private to default.
The mv command should be all on one line:
mv /etc/opendkim/keys/eapps-example.com/default.private /etc/opendkim/keys/eapps-example.com/default
[root@eapps-example opendkim]# chown -R opendkim:opendkim /etc/opendkim/keys/eapps-example.com/
[root@eapps-example opendkim]# mv /etc/opendkim/keys/eapps-example.com/default.private /etc/opendkim/keys/eapps-example.com/default
Editing the OpenDKIM configuration files
OpenDKIM has four configuration files that have to be edited:
- /etc/opendkim.conf - this is the main configuration file
- /etc/opendkim/KeyTable - this lists the keys that are available to sign e-mails
- /etc/opendkim/SigningTable - this lists the domains and e-mail accounts allowed to sign e-mails
- /etc/opendkim/TrustedHosts - this lists the servers that are trusted for signing or verifying
opendkim.conf
The first file to edit is /etc/opendkim.conf. Before editing the file, make a backup so that you can revert to the default state if needed. After you have copied the file, open it in a text editor.
[root@eapps-example ~]# cd /etc/
[root@eapps-example etc]# cp opendkim.conf{,.bck}
[root@eapps-example etc]# vim opendkim.conf
Edit the file so that it looks like this. The line numbers are shown for illustration purposes only, see below for a list of what lines have to be changed, referenced by line number.
1 ## BASIC OPENDKIM CONFIGURATION FILE
2 ## See opendkim.conf(5) or /usr/share/doc/opendkim-2.4.2/opendkim.conf.sample for more
3
4 ## BEFORE running OpenDKIM you must:
5
6 ## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
7 ## - generate keys for your domain (if signing)
8 ## - edit your DNS records to publish your public keys (if signing)
9
10 ## See /usr/share/doc/opendkim-2.4.2/INSTALL for detailed instructions.
11
12 ## CONFIGURATION OPTIONS
13
14 # Specifies the path to the process ID file.
15 PidFile /var/run/opendkim/opendkim.pid
16
17 # Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
18 Mode sv
19
20 # Log activity to the system log.
21 Syslog yes
22
23 # Log additional entries indicating successful signing or verification of messages.
24 SyslogSuccess yes
25
26 # If logging is enabled, include detailed logging about why or why not a message was
27 # signed or verified. This causes an increase in the amount of log data generated
28 # for each message, so set this to No (or comment it out) if it gets too noisy.
29 # LogWhy yes
30
31 # Attempt to become the specified user before starting operations.
32 UserID opendkim:opendkim
33
34 # Create a socket through which your MTA can communicate.
35 Socket inet:8891@localhost
36
37 # Required to use local socket with MTAs that access the socket as a non-
38 # privileged user (e.g. Postfix)
39 Umask 002
40
41 # This specifies a text file in which to store DKIM transaction statistics.
42 #Statistics /var/spool/opendkim/stats.dat
43
44 ## SIGNING OPTIONS
45
46 # Selects the canonicalization method(s) to be used when signing messages.
47 Canonicalization relaxed/simple
48
49 # Domain(s) whose mail should be signed by this filter. Mail from other domains will
50 # be verified rather than being signed. Uncomment and use your domain name.
51 # This parameter is not required if a SigningTable is in use.
52 #Domain example.com
53
54 # Defines the name of the selector to be used when signing messages.
55 Selector default
56
57 # Gives the location of a private key to be used for signing ALL messages.
58 # KeyFile /etc/opendkim/keys/default.private
59
60 # Gives the location of a file mapping key names to signing keys. In simple terms,
61 # this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
62 # setting in the configuration file.
63 KeyTable refile:/etc/opendkim/KeyTable
64
65 # Defines a table used to select one or more signatures to apply to a message based
66 # on the address found in the From: header field. In simple terms, this tells
67 # OpenDKIM how to use your keys.
68 SigningTable refile:/etc/opendkim/SigningTable
69
70 # Identifies a set of "external" hosts that may send mail through the server as one
71 # of the signing domains without credentials as such.
72 ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
73
74 # Identifies a set internal hosts whose mail should be signed rather than verified.
75 InternalHosts refile:/etc/opendkim/TrustedHosts
In the file you will need to change the following lines:
Line 18 - change from v to sv
Line 29 - comment this line out. If you need additional log output for troubleshooting, you can uncomment it again.
Line 58 - comment this line out
Line 63 - uncomment this line, add the refile: keyword
Line 68 - uncomment this line, add the refile: keyword
Line 72 - uncomment this line
Line 75 - uncomment this line
Once you have made your changes, save and exit the file.
KeyTable
The next file to edit is the KeyTable, located at /etc/opendkim/KeyTable. The KeyTable tells OpenDKIM where to find the keys for the e-mail domain you are going to be signing messages for.
Change directories to /etc/opendkim, and then open the KeyTable file in a text editor.
[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example opendkim]# vim KeyTable
In the KeyTable file, copy the existing line, and then uncomment that new line. You will need to substitute your domain name for example.com in two locations, add the directory for your keys, and change default.private to default. The line below shows what needs to be done, using the eapps-example.com domain.
default._domainkey.eapps-example.com eapps-example.com:default:/etc/opendkim/keys/eapps-example.com/default
Remember that this has to be on one line. If this is split into two lines, OpenDKIM will not work.
(the text size has been reduced so that the example stays on one line - this is very important)
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.eapps-example.com eapps-example.com:default:/etc/opendkim/keys/eapps-example.com/default
Once you have made your changes, save and exit the file.
SigningTable
The SigningTable tells OpenDKIM which users can sign their e-mails with the key. You can use a wildcard to allow all users from a specific domain to sign, or you can specify individual users.
The SigningTable is in the same directory as the KeyTable (/etc/opendkim). Open the file in a text editor (this example uses vim, nano is also available).
To allow all users from a specific domain to be able to use OpenDKIM to sign their e-mails, copy line 5, uncomment your new line, and substitute your domain for example.com.
#*@example.com default..example.com
*@eapps-example.com default..eapps-example.com
To allow only a specific user from a domain to sign their e-mails, copy the default wildcard line (line 5), uncomment your new line, and change it to look like this:
#*@example.com default._domainkey.example.com
user@eapps-example.com default._domainkey.eapps-example.com
You have two choices - either everyone who sends e-mail from the domain will have their e-mails signed, or only specific users will. If everyone will have their e-mails signed, then use the first example, otherwise use the second example, and list each user in the file, one user per line.
Once you have made your changes, save and exit the file.
TrustedHosts
The TrustedHosts table tells OpenDKIM which hosts can use the keys. The hosts in this file will be ignored when verifying incoming e-mail, but the outgoing e-mail for these hosts will be signed (as per the configuration of the SigningTable).
Enter each host, one per line. You can use the IP address, the hostname, an IPv4 address with CIDR, an IPv6 address, or any combination of those values. Generally, you will want to use the correct DNS name for each host that is being signed.
The TrustedHosts file is in the same directory as the KeyTable and the SigningTable (/etc/opendkim).
This example uses the domain of eapps-example.com, and also the hostname of the Virtual Server itself, which is example.eapps-example.com, as well as the IP address for the Virtual Server. Please substitute your domain name accordingly.
The line for 127.0.0.1 MUST BE THE FIRST UNCOMMENTED LINE IN THE FILE. Otherwise, no outgoing e-mail from the VS will be signed.
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
eapps-example.com
example.eapps-example.com
68.169.60.79
Once you have made your changes, save and exit the file.
Edit Sendmail to recognize OpenDKIM
The Sendmail mail server that is used by the Virtual Server has to be told to use OpenDKIM. To do this, you will need to edit the sendmail.mc macro file, and then use that to rebuild the sendmail.cf configuration file.
Change directories to /etc/mail, and make a backup of the existing Sendmail configuration files first, so that you can put them back in place if needed. Do not skip this step - make backups of the files before continuing.
[root@eapps-example ~]# cd /etc/mail
[root@eapps-example mail]# cp sendmail.mc{,.orig}
[root@eapps-example mail]# cp sendmail.cf{,.orig}
Open the sendmail.mc file in a text editor.
Do not, under any circumstances, edit the sendmail.cf file directly. Only edit the sendmail.mc file, which will be used to rebuild the sendmail.cf file.
In the sendmail.mc file, add this line to the very bottom of the file, so that it is the last line:
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
Note the location of the backticks and single quotes in the line.
When you edit the sendmail.mc file, go to the end of the file, and add the opendkim line.
~
~
~
define(`confCACERT_PATH', `/etc/mail/ssl/certs/CA')dnl
FEATURE(`delay_checks')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
INPUT_MAIL_FILTER(`spfmilter', `S=unix:/var/run/spfmilter/spfmilter.sock, T=S:8m;R:8m')dnl
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
Once you have added the line, save and exit the file.
Rebuild and restart sendmail
After editing sendmail.mc, you will need to rebuild the sendmail configuration file (sendmail.cf), and restart sendmail.
To rebuild sendmail.cf, use the following command:
m4 sendmail.mc > sendmail.cf
This calls the m4 macro language processor, and uses the values in sendmail.mc to rewrite the configuration of sendmail.cf.
After rebuilding the sendmail configuration, you will need to restart sendmail.
For CentOS 6, use the service sendmail restart command:
[root@eapps-example mail]# m4 sendmail.mc > sendmail.cf
[root@eapps-example mail]# service sendmail restart
If you get an error restarting sendmail, pay close attention to the error message, which will often (but not always) tell you what is causing the error. Put the copies of the original sendmail.mc and sendmail.cf files back into place, and restart sendmail again so you can go back and edit the file. If you need further assistance, contact eApps Support.
Start OpenDKIM and set it to start at system boot
Once all the OpenDKIM configuration is done, change directories back to /etc/opendkim, and start the service. Once it is started, you will need to set it to start at system boot.
For CentOS 6, use the service opendkim start command and the chkconfig opendkim on commands:
[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example ~]# service opendkim start
[root@eapps-example ~]# chkconfig opendkim on
The first time you start OpenDKIM, you should see messages about generating default keys for the domain, and then the message that the service started successfully. The default keys that are generated are not the keys that will be used by OpenDKIM, the keys that you generate manually will be the ones that are used.
At this point, the OpenDKIM configuration on the Virtual Server is complete. The next step is to add the DNS record that will be used as the public key for your domain, and then to test that OpenDKIM is working - OpenDKIM DNS configuration
Installing and Configuring OpenDKIM on ISPmanager 5
Installing OpenDKIM on ISPmanager 5
With ISPmanager 5, OpenDKIM is installed and configured from the Control Panel. No configuration from the command line is necessary.
-
For ISPmanager 5, go to Settings > Features. In ISPmanager 5, OpenDKIM is installed by clicking on Mail server (SMTP/POP3/IMAP) and then clicking on Edit in the upper left corner. Click the check box for OpenDKIM (exim) and then on Apply Changes.
More information on installing applications can be found here - Installing Features.
Configuring OpenDKIM on ISPmanager 5
OpenDKIM is configured on a per-domain basis. To set up a domain to use OpenDKIM, go to Domains > Mail domains, and click on the domain where you want to configure OpenDKIM. Then click on Edit in the upper left corner. On the Mail domain - domain.tld screen, click the check box for Enable DKIM for this domain, and then click OK. Do this for every domain where you want to use OpenDKIM.
At this point, the OpenDKIM configuration on the Virtual Server is complete. The next step is to add the DNS record that will be used as the public key for your domain, and then to test that OpenDKIM is working - OpenDKIM DNS configuration
OpenDKIM DNS configuration
The DNS configuration for OpenDKIM is the same for both ISPmanager 4 or ISPmanager 5. The only difference is the location of the public key file.
The OpenDKIM configuration generates two keys - a private key that is used to sign your e-mails with the DKIM-Signature, and a public key that you publish to your DNS which is used by the recipient to verify that the e-mails purporting to come from your domain actually do come from your domain.
This step is mandatory for using OpenDKIM, which relies on both the private key and the public key to work. If you do not publish your public key to your domain's DNS record, OpenDKIM will not be used for your domain.
OpenDKIM public key file
The location of the OpenDKIM public key file will depend on which version of ISPmanager you have installed.
-
ISPmanager 4 - the public key file is located here: /etc/opendkim/keys/domain.tld/default.txt (substitute your domain name for domain.tld). Make sure to use the default.txt file, and not the default file, which is your private key and should never be published.
-
ISPmanager 5 - the public key file is located here: /etc/exim/ssl/domain.tld.txt (substitute your domain name for domain.tld). Make sure to use the domain.tld.txt, and not the domain.tld.private file, which is your private key and should never be published.
The public key file looks similar to this (this example has been split on several lines to accommodate the screen size).
default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrNOJJMnmYlN5uHjMech9FL2CRTM7yA2BPpB88qTN33t Mi0Li4XRN6a79oQSNqMJBXbPXlEa8SF5T1NTeAuSE5RO+FNF4d7Ji/LOYzRugUGEAney20OmzwNe469UGYmi CnJTg6W5ouBzyqTWYw2EzuLwV2Ivngw/v91aPLdXYg7QIDAQAB" ; ----- DKIM default for domain.tld
Creating the OpenDKIM DNS record
You will need to create a DNS TXT record for your public key. These instructions show how to create this using the DNS Manager in the Customer Portal; if you use a different DNS provider for your domain, you may need to contact their support if you need assistance setting up a DNS TXT record there.
If you need more information on the DNS Manager in the Customer Portal, please see the DNS Manager User Guide - http://support.eapps.com/portal/dns
Once you are logged in to the Customer Portal, click on DNS Manager. Find the domain where you need to add the TXT record (in this example, the eapps-example.com domain), and click on the pencil icon to the right.
This will show all the DNS records for the domain. To add the new TXT record, click on Add New Record.
This opens the Manage Record for: screen.
You will need to add these values:
-
Name - for the Name, enter default._domainkey
-
Type - for the Type, choose TXT from the drop down list
-
TTL - leave this blank, it will automatically be set to 600 (seconds)
-
Priority - leave this blank, TXT records have no priority
-
Value - the Value is the actual public key record. This is taken from the default.txt or the domain.tld.txt file, and is everything between the double-quotation marks, including the quotation marks themselves. The Value must be entered all on one line.
The Value is the most important part of the DNS record, because this is the public key that the recipient's mail server will be comparing against the DKIM-Signature to verify that the e-mail is actually from your domain.
From the public key file, the text you will put in the Value field will look similar to this:
"v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrNOJJMnmYlN5uHjMech9FL2CRTM7yA2BPpB88qTN33 tMi0Li4XRN6a79oQSNqMJBXbPXlEa8SF5T1NTeAuSE5RO+FNF4d7Ji/LOYzRugUGEAney20OmzwNe4 69UGYmiCnJTg6W5ouBzyqTWYw2EzuLwV2Ivngw/v91aPLdXYg7QIDAQAB"
 |
Make sure the Value is entered all on one line. The best practice is to copy the text from the public key file, and then paste that into a text editor where the width has been expanded so that everything is on one line, and then copy that and paste it into the DNS Manager. If you copy and paste directly from the public key file, it will be on several lines, and will not work. |
When you enter in the information for the new DNS record, it will look like this.
Click on Save Record. This will add the DNS record, and take you back to the main screen where you can edit the domain.
You will see the new DNS record at the bottom of the screen. The Value will show on two lines, but make sure that what you entered was on one line.
(Part of the record was trimmed out in order to fit on the screen)
If you don't see the double quotes at the end of the entry, then the DNS Manager interpreted what you entered as being on multiple lines. You will need to edit that record, delete the text in the Value field, and re-add it.
Like all DNS records, it may take between 24 to 48 hours for it to fully propagate across the Internet, but generally it should be available fairly quickly - usually in one to two hours.
Testing OpenDKIM
After you have set up OpenDKIM and added the DNS record for the public key, you can test to make sure that your e-mails are being signed and that the recipients who are using DKIM see the record correctly.
 |
Remember that it may take several hours for the DNS record with the public key to propagate successfully. If your first tests are unsuccessful, wait a few hours and try again. If you are still experiencing failures after 24 hours, recheck your configuration. If you need more assistance, please contact eApps Support. |
Using an auto-responder
There are several auto-responders that you can send a signed e-mail to, and they will send back an auto-reply that will tell you if your OpenDKIM configuration is working. If you have a Gmail address, you can also send a signed e-mail to that address as a test.
From the domain or user that you have set up to use OpenDKIM, send an e-mail to one or both of these addresses:
autorespond+dkim@dk.elandsys.com
sa-test@sendmail.net
The e-mail does not need to have a subject or body, you can send a blank e-mail.
After a few minutes (possibly only a few seconds) you will receive an auto-reply. If you look at the body of the auto-reply, you will see whether or not your OpenDKIM configuration is working correctly.
For the autorespond+dkim@dk.elandsys.com address, you are looking for this in the reply:
DKIM Signature validation: pass
If there is a problem with the OpenDKIM configuration, you will see a message similar to this:
DKIM Signature validation: permerror (key not found)
For the sa-test@sendmail.net address, you are looking for this in the reply:
Authentication System: DomainKeys Identified Mail (DKIM)
Result: DKIM signature confirmed GOOD
Description: Signature verified, message arrived intact
If there is a problem with the OpenDKIM configuration, you will see a message similar to this:
Authentication System: DomainKeys Identified Mail (DKIM)
Result: DKIM signature confirmed BAD
Description: Unrecoverable error during processing; signature data cannot be verified
If you get an error from the auto-responder, wait for about half an hour and try again. The DNS record may not have propagated to the location of the auto-responder yet. For example, during eApps OpenDKIM testing, the autorespond+dkim@dk.elandsys.com address returned a successful result about 20 minutes before the sa-test@sendmail.net address did.
If you are still getting errors 24 hours after creating the DNS record, recheck your configuration or contact eApps Support for assistance.
Testing with Gmail
If you have a Gmail address, you can test OpenDKIM by sending an e-mail to that address. Once the e-mail arrives, click on the down arrow next to the to me under the sender's name. This opens the Show details screen.
If OpenDKIM is working correctly, you will see a line that says signed-by:
Again, if you do not see a successful reply right away, wait about half an hour and try again. If you are still getting errors 24 hours after creating the DNS record, recheck your configuration or contact eApps Support for assistance.
Using multiple domains with OpenDKIM
If you are sending mail on your Virtual Server from multiple domains, you can configure OpenDKIM on each domain.
NOTE - how to configure OpenDKIM for multiple domains will depend on which version of ISPmanager you have installed. Please make sure you are working with the correct set of instructions.
-
ISPmanager 4 - all the configuration for using OpenDKIM with multiple domains is done from the command line of the Virtual Server. Please see Configuring multiple domains using ISPmanger 4 for more information.
-
ISPmanager 5 - all the configuration for using OpenDKIM with multiple domains is done from the Control Panel. Please see Configuring multiple domains using ISPmanager 5 for more information.
NOTE - this section of the user guide assumes that you have already configured OpenDKIM on one domain, and are able to successfully send signed e-mails.
Once you have completed the configuration, you will need to add the correct DNS records and then test OpenDKIM.
Configuring multiple domains using ISPmanager 4
If you send e-mails from multiple domains from your Virtual Server, you can set up OpenDKIM so that it will sign the e-mails for those domains. To do this, you will need to generate a public and private key for each domain, and configure the KeyTable, SigningTable, and TrustedHosts files so that OpenDKIM is aware of the domains.
The previous examples in this user guide used the domain of eapps-example.com. These examples will be adding the domain of example-domain.vm-host.net to the existing OpenDKIM configuration. Make sure that you are substituting your own domain names for eapps-example.com and example-domain.vm-host.net. While this example shows adding one additional domain, the steps for adding any number of additional domains are the same.
OpenDKIM configuration for multiple domains
Remember, this user guide assumes that you have already set up and configured OpenDKIM for one domain name. Once OpenDKIM is set up and working for one domain, you will not have to make any changes to the /etc/opendkim.conf file for it to work for multiple domains.
Create the keys directory and generate the keys
Every additional domain you want to add to OpenDKIM will need its own keys in the /etc/opendkim/keys directory. You will need to create a directory for the keys, and then generate the keys.
Change directories to /etc/opendkim and make the directory with the mkdir /etc/opendkim/keys/example-domain.vm-host.net command. Remember to substitute your domain name for example-domain.vm-host.net.
[root@eapps-example ~]# cd /etc/opendkim
[root@eapps-example opendkim]# mkdir /etc/opendkim/keys/example-domain.vm-host.net
Once you have created the directory for the keys, generate the public and private keys. Use the following command, paying attention to the letter case in the switches: there is both a capital D and a lowercase d. Also remember to substitute your own domain name for example-domain.vm-host.net.
The command should be all on one line:
/usr/bin/opendkim-genkey -D /etc/opendkim/keys/example-domain.vm-host.net/ -d example-domain.vm-host.net -s default
[root@eapps-example opendkim]# /usr/bin/opendkim-genkey -D /etc/opendkim/keys/example-domain.vm-host.net/ -d example-domain.vm-host.net -s default
Now you need to change the owner and group of the newly created directory from root to opendkim, and change the name of the private key to to match what is in the OpenDKIM configuration file.
Change the owner and group with the chown -R command. The -R switch changes the owner and group recursively, meaning all files and directories under the parent directory will be changed also. Then use the mv command to rename the private key file from default.private to default.
The mv command should be all on one line:
mv /etc/opendkim/keys/example-domain.vm-host.net/default.private /etc/opendkim/keys/example-domain.vm-host.net/default
[root@eapps-example ~]# chown -R opendkim:opendkim /etc/opendkim/keys/example-domain.vm-host.net/
[root@eapps-example ~]# mv /etc/opendkim/keys/example-domain.vm-host.net/default.private /etc/opendkim/keys/example-domain.vm-host.net/default
KeyTable
Now you will need to edit the KeyTable file, which already has a line for the eapps-example.com domain. Copy that line, and then substitute the new domain name in two locations, add the directory for your keys, and change default.private to default. The line below shows what needs to be done, using the example-domain.vm-host.net domain.
default._domainkey.example-domain.vm-host.net example-domain.vm-host.net:default:/etc/opendkim/keys/example-domain.vm-host.net/default
Remember that this has to be on one line. If this is split into two lines, OpenDKIM will not work.
(the text size has been reduced so that the example stays on one line - this is very important)
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.eapps-example.com eapps-example.com:default:/etc/opendkim/keys/eapps-example.com/default
default._domainkey.example-domain.vm-host.net example-domain.vm-host.net:default:/etc/opendkim/keys/example-domain.vm-host.net/default
Once you have made your changes, save and exit the file.
SigningTable
The SigningTable will already have an existing line for the eapps-example.com domain, allowing all users from the domain to sign their e-mails by using a wildcard. To allow all users from the example-domain.vm-host.net domain to sign their e-mails, copy that line, and substitute the new domain name where needed.
#*@example.com default._domainkey.example.com
*@eapps-example.com default._domainkey.eapps-example.com
*@example-domain.vm-host.net default._domainkey.example-domain.vm-host.net
To allow only a specific user from a domain to sign their e-mails, copy the default wildcard line (line 5), uncomment your new line, and change it to look like this:
#*@example.com default._domainkey.example.com
user@eapps-example.com default._domainkey.eapps-example.com
user@example-domain.vm-host.net default._domainkey.example-domain.vm-host.net
You have two choices - either everyone who sends e-mail from the domain will have their e-mails signed, or only specific users will. If everyone will have their e-mails signed, then use the first example, otherwise use the second example, and list each user in the file, one user per line.
This can vary by domain, though. You can allow all users from one domain to sign their e-mails, but only allow specific users from another domain to sign their e-mails.
Once you have made your changes, save and exit the file.
TrustedHosts
The TrustedHosts file will already have an entry for 127.0.0.1 (localhost) and the eapps-example.com domain. Add the new domain to the file, making sure it is on a line by itself.
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
eapps-example.com
example-domain.vm-host.net
68.169.60.79
Once you have made your changes, save and exit the file.
Restarting OpenDKIM
Once you have added the new key directory, generated the keys for any additional domains, and configured the KeyTable, SigningTable, and TrustedHosts for the additional domains, you will need to restart OpenDKIM.
For CentOS 6, use the service opendkim restart command:
[root@eapps-example opendkim]# service opendkim restart
Configuring multiple domains using ISPmanager 5
All the configuration for using multiple domains with ISPmanager 5 is done directly from the Control Panel. To set up multiple domains to use OpenDKIM, go to Domains > Mail domains, and click on the domain where you want to configure OpenDKIM. Then click on Edit in the upper left corner. On the Mail domain - domain.tld screen, click the check box for Enable DKIM for this domain, and then click OK. Do this for every domain where you want to use OpenDKIM.
DNS configuration
You will need to add the public key for your new domain to DNS so that OpenDKIM will work. Full instructions are given in the OpenDKIM DNS configuration section of this user guide. Make sure that you add the public key correctly.
This step is mandatory for using OpenDKIM, which relies on both the private key and the public key to work. If you do not publish your public key to your domain's DNS record, OpenDKIM will not be used for your domain.
Remember that it may take several hours for your DNS record to fully propagate.
Testing OpenDKIM
Once the DNS record is in place, you can start to test OpenDKIM. Instructions on how to test OpenDKIM are in the Testing OpenDKIM section of this user guide. Remember that your original tests may fail if the DNS has not had time to fully propagate.