最後更新: 2018-12-18


run outside the MTA to inspect SMTP events ( All this happens before mail is queued )


DNS Setting



apt-get install opendkim-tools

DNS record

SELECTOR._domainkey IN TXT ...


# 建立了 mail.private (opendkim load 它)  mail.txt (在 DNS Server 上設定它)

opendkim-genkey -s mail -d

chown opendkim. mail.private

chmod 640 mail.private


opendkim-testkey -d -s mail

# Fail:

opendkim-testkey: '' record not found

# 成功

echo $?

# tested by sending an empty email to


Setup Server



apt-get install opendkim


SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock" # chrooted postfix path


AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogFacility          mail
SyslogSuccess           Yes
LogWhy                  Yes
X-Header                Yes

# Map domains in From addresses to keys used to sign messages
KeyTable               /etc/opendkim/key.table
SigningTable           refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts

Mode                    sv
PidFile                 /var/run/opendkim/
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

# mx1, mx2


/etc/init.d/opendkim restart


netstat -tnlp | grep 12345




Dec 18 16:23:36 debian opendkim[5358]: OpenDKIM Filter: mi_stop=1
Dec 18 16:23:36 debian opendkim[5358]: OpenDKIM Filter v2.0.1 terminating with status 0, errno = 0
Dec 18 16:23:36 debian opendkim[5380]: OpenDKIM Filter v2.0.1 starting (args: ... )


opendkim 設定說明


refile = regular expression file


Select canonicalizations to use when signing.

Valid values for each are "simple" and "relaxed"

simple: method allows almost no modification
relaxed: one tolerates minor changes such as whitespace replacement;

relaxed/simple - the message header will be processed with the relaxed algorithm and the body with the simple one


auto restart the filter on failures


specifies the filter's maximum restart rate, if restarts begin to happen faster than this rate,

the filter will terminate; 10/1h - 10 restarts/hour are allowed at most


gives all access permissions to the user group defined by UserID and allows other users to read and execute files,

in this case it will allow the creation and modification of a Pid file.


lists the signatures to apply to a message based on the address found in the From: header field

# domain                     short name for the domain
*          example


maps key names to signing keys


example     DOMAIN_NAME:SELECTOR:/etc/opendkim/keys/


declares operating modes; in this case the milter acts as a signer (s) and a verifier (v)


Add an X- header to messages passing through this filter to identify messages it has processed.



Postfix 設定




SOCKET="inet:12345@localhost" # listen on loopback on port 12345


# opendkim setup
smtpd_milters           = inet:localhost:12345
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 6


mkdir /var/spool/postfix/var/run/opendkim

chown opendkim.postfix /var/spool/postfix/var/run/opendkim

chmod 770 /var/spool/postfix/var/run/opendkim


SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock" # chrooted postfix path


# opendkim setup
smtpd_milters = unix:var/run/opendkim/opendkim.sock

Send 信測試


Dec 18 17:32:22 debian opendkim[6402]: 4E5358599B "DKIM-Signature" header added


smtpd_milters (default: empty)


  • SMTP mail filters (arrives via the Postfix smtpd server )( smtpd_milters=... )
  • non-SMTP mail filters ( arrives via the Postfix sendmail(CLI) --> cleanup )( non_smtpd_milters=... )


The default action is to respond with a temporary error status

Specify "accept" if you want to receive mail as if the filter does not exist

milter_protocol (default: 6)

2    Use Sendmail 8 mail filter protocol version 2
      (default with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).

6    Use Sendmail 8 mail filter protocol version 6
      (default with Sendmail version 8.14 and Postfix version 2.6).




before-queue Milter:

man opendkim.conf

zcat /usr/share/doc/opendkim/examples/opendkim.conf.sample.gz