Nov 202014
Article Postfix

Most email services implement several verification procedures on incoming email to ensure that it is legitimate, and prevent their users’ inboxes from being flooded with unwanted email (spam).

For instance, Google Gmail, among other tests, verifies that the incoming email is signed with DKIM. Servers sending email to gmail users that do not implement this signing may find that the emails sent are flagged as spam by Google Gmail servers, are delivered to the spam folder of the recipient, or are just discarded.

This post goes through the details of the implementation of the DKIM digital signature on a Postfix mail server running on a linux Debian machine. It also covers briefly SPF and other email authentication mechanisms.

1. Google recommendations for Bulk Senders

In the page Bulk Senders Guidelines, Google gives a set of recommendations to reduce the risk that outgoing mail sent by a mail server be treated as spam:

  • Always use the same IP address to send emails
  • Create a reverse DNS record translating the server IP into the domain name
  • When a given mail is sent to a number of users (i.e., a newsletter), use always the same sender email address in the “From:” header line
  • Sign messages with DKIM.Use a key of 1024 bit at least
  • Create a SPF record in DNS, specifyign the IP addresses that are allowed to send emails from users in the domain.
  • Publish a DMARC policy
  • If IPV6 is used, make sure that there is a PTR (reverse DNS) record for the IP address that is returned from a direct DNS query for the domain.
  • If IPV6 is used, the domain MUST pass the SPF or DKIM verifications

 2. Installing and configuring OpenDKIM

OpenDKIM is available as a standard package in most linux distros, such as Debian and Ubuntu. It can be installed with a call to apt-get:

Once installed, the configuration file /etc/opendkim.conf must be edited to add the following lines (replacing with your own domain name):

Also the configuration file /etc/default/opendkim needs to be edited to add a line that specifies the connection that postfix will use to access the opendkim service:

3. Generating a private/public key pair that will be used to sign emails

The opendkim-genkey command is used to generate a private/public key pair (replace with the name of your domain):

This command generates a “mail.private” file that contains the private key, and a file “mail.txt” that contains the public key.

The private key is copied to /etc/postfix/dkim.key (the location of the private key previously specified in the opendkim.conf file):

The public key must be added to the DNS configuration of the domain as a TXT record. The exact procedure to edit the DNS configuration of the domain depends on the DNS service provider for the domain. The file “mail.txt” contains the specificatio of the record to add:

Some DNS service providers might give the option to upload this file directly. In most cases, they have a form in their client area that allows adding and editing the records in the DNS zone.

The DNS service can be consulted with a nslookup or dig command to verify that the record has been correctly added:

4. Configuring postfix to use the OpenDKIM signing service on outgoing mail

To do this the lines below must be added at the bottom of  the main postfix configuration file /etc/postfix/ :

5. Starting the service and verify that it is working as expected

To start signing the outgoing mail, the opendkim service needs to be started, and the postfix service needs to be restarted:

To verify that opendkim has started successfully, we can check with netstat that it is listening on TCP port 8891:

The Mail tester online service can be used to verify that messages sent from our server are being signed with opendkim. First, access the home page:


and then send a test email to the email address on the screen:

Next, click on the “Then check your score” button, and wait until the results are displayed:


In the reults page we can see that the message sent had a valid DKIM signature

However, the message did not pass the SPF validation, because we have not added yet a SPF record to the DNS configuration of the domain. The total score obtained in is only 2.8, meaning that messages sent by our server will probably be rejected by most mail servers.

6. Implementing SPF authentication

SPF (Sender Policy Framework) is a mail server validation mechanism based on DNS. To implement SPF, a TXT record is added to the DNS configuration of the domain, specifying the IP addresses that are authorized to send email from senders belonging to the domain.

For instance, the following record only allows the IP address to send emails for domain “”:

The provider of DNS service for our domain usually allows to edit the DNS zone, to add the SPF record, by means of a form in their web site. Afterwards, the command-line tools nslookup or dig can be used to verify that the record is correctly configured:

And finally, the online service can be used again to verify the new configuration:


And that’s all!



 Posted by at 9:32 am

 Leave a Reply