How to install and configure dkim with OpenDKIM and Exim on a CentOS 7 VPS

In this article we will walk you through the steps of installing and configuring dkim with OpenDKIM and Exim on a CentOS 7 SSD VPS.

You should have a working mail server setup with Exim before proceeding with this tutorial. Check our guide on how to set-up a mail server with Exim and Dovecot on a CentOS 7 VPS if you don’t have setup a mail server yet.

What is OpenDKIM?

OpenDKIM is an open source implementation of the DKIM (Domain Keys Identified Mail) sender authentication system which is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. A digital signature included with the message can be validated by the recipient using the signer’s public key published in the DNS.

 

UPDATE THE SYSTEM

Before you start with the installation of OpenDKIM, ssh to your server and initiate a screen session using the command below:

## screen -U -S exim-opendkim

once you’re in a screen session, update your CentOS 7 VPS using yum as in:

## yum update

 

INSTALL SOME PACKAGES

## yum install curl wget vim openssl man

 

ENABLE EPEL REPOSITORY

OpenDKIM is available in the EPEL (Extra Packages for Enterprise Linux) repositry, so let’s enable EPEL repository on the CentOS VPS using:

## yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm

if you get a 404 not found, go at https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/ and install the latest epel-release rpm package available.

next, check if EPEL has been enabled on your system using:

## yum repolist

 

INSTALL OPENDKIM

Once EPEL has been enabled on your linux server, install OpenDKIM using the command below:

## yum install opendkim

and proceed with configuring it by renaming its default configuration to something like /etc/opendkim.conf.orig and adding the following to /etc/opendkim.conf

## mv /etc/opendkim.conf{,.orig}
## vim /etc/opendkim.conf

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

To learn more about opendkim.conf you can check man opendkim.conf.

 

SET-UP DKIM PUBLIC/PRIVATE KEYS

Now generate a set of keys for your mydomain.com domain name using the commands below:

## mkdir /etc/opendkim/keys/mydomain.com
## opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
## chown -R opendkim: /etc/opendkim/keys/mydomain.com
## mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default

once the keys are generated, add mydomain.com to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable

default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default

next, edit /etc/opendkim/SigningTable and add the following record to OpenDKIM’s signing table:

*@mydomain.com default._domainkey.mydomain.com

and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts:

127.0.0.1
mydomain.com
host.mydomain.com

assuming the domain in question is ‘mydomain.com’ and server’s hostname is set to ‘host.mydomain.com’

finally, edit your mydomain.com DNS zone and add the TXT record from /etc/opendkim/keys/mydomain.com/default.txt

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" )  ; ----- DKIM key default for mydomain.com

you can verify if your dkim TXT record is valid using dig for example:

## dig +short default._domainkey.mydomain.com TXT

"v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"

 

CONFIGURE EXIM

Now set-up Exim to use OpenDKIM for signing the emails by editing /etc/exim/exim.conf and adding the following to the remote_smtp transport:

remote_smtp:
        driver = smtp
        dkim_domain = $sender_address_domain
        dkim_selector = default
        dkim_private_key = ${if exists{/etc/opendkim/keys/$sender_address_domain/default}{/etc/opendkim/keys/$sender_address_domain/default}{0}}
        dkim_canon = relaxed
        dkim_strict = 0

restart Exim and Opendkim for the changes to take effect using:

## systemctl restart exim
## systemctl status exim

## systemctl restart opendkim
## systemctl status opendkim
## systemctl enable opendkim

 

LET US DO THIS FOR YOU?

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to install and configure OpenDKIM with Exim. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.