How to Set Up DKIM Email Signing with OpenDKIM and Postfix on Debian 12

By ramon white VPS 0 Comments

Ensure email authenticity and improve deliverability by properly setting up DKIM (DomainKeys Identified Mail) on your self-hosted mail server. This step-by-step guide walks you through configuring OpenDKIM and Postfix to sign outgoing messages using your domain, ensuring DMARC compliance.

Prerequisites

A Debian 12 VPS
A registered domain (e.g., capelitefinance.net)
Mail server stack with Postfix and Dovecot
Let’s Encrypt SSL certificate (already installed)

Step 1: Install OpenDKIM

sudo apt update
sudo apt install opendkim opendkim-tools -y

Step 2: Generate DKIM Keys

sudo mkdir -p /etc/opendkim/keys/capelitefinance.net
cd /etc/opendkim/keys/capelitefinance.net
sudo opendkim-genkey -s mail -d capelitefinance.net
sudo chown opendkim:opendkim mail.private

Step 3: Configure OpenDKIM

Edit /etc/opendkim.conf:

Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              no
OversignHeaders         From
UserID                  opendkim
UMask                   007
Socket                  inet:12301@localhost
PidFile                 /run/opendkim/opendkim.pid
TrustAnchorFile         /usr/share/dns/root.key
KeyTable                /etc/opendkim/key.table
SigningTable            /etc/opendkim/signing.table
ExternalIgnoreList      /etc/opendkim/trusted.hosts
InternalHosts           /etc/opendkim/trusted.hosts

Step 4: Create DKIM Map Files

`/etc/opendkim/key.table`

mail._domainkey.capelitefinance.net capelitefinance.net:mail:/etc/opendkim/keys/capelitefinance.net/mail.private

`/etc/opendkim/signing.table`

*@capelitefinance.net mail._domainkey.capelitefinance.net

`/etc/opendkim/trusted.hosts`

127.0.0.1
localhost
capelitefinance.net
mail.capelitefinance.net

Step 5: Integrate OpenDKIM with Postfix

Edit /etc/postfix/main.cf:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Then reload Postfix:

sudo systemctl restart postfix

Step 6: Publish Your DKIM DNS Record

Open /etc/opendkim/keys/capelitefinance.net/mail.txt and copy the TXT record. Then, create a DNS TXT record:

Name:

mail._domainkey.capelitefinance.net

Type:

TXT

Value: (example)

v=DKIM1; k=rsa; p=MIIBIjANBgkqh... (your full public key)

Allow time for DNS to propagate.

Step 7: Restart and Verify

sudo systemctl restart opendkim
sudo systemctl restart postfix

Use this to monitor logs:

sudo journalctl -u opendkim -f

Look for:

DKIM-Signature header added

Then send a test email to https://www.mail-tester.com and confirm:

DKIM check: pass
DMARC check: pass

Conclusion

You now have a properly signed DKIM setup integrated with Postfix on Debian 12. This ensures your domain’s email is verified and protected against spoofing. For full email compliance, also confirm your SPF and DMARC records are active and correct.

Need this set up for your business or clients? Contact us at Xtream Solutions and we’ll automate it for you.

How to Set Up DKIM Email Signing with OpenDKIM and Postfix on Debian 12