Looks like I never wrote a blog posting on setting up DKIM. I just realised one of my servers wasn't set up after a re-install, so I'm having to remember how to do it again.
I'm using sendmail. (yes, shut up) and DKIM hooks in using its milter (mail filter) mechanism.
# apt-get install dkim-filter
Now wire it into sendmail.mc:
Now when mail comes in, you should see it gets headers like this added by your mail server (
dildano.hawaga.org.uk in this case) when DKIM verification happens (eg in mail from gmail).:
Authentication-Results: dildano.hawaga.org.uk; dkim=pass (1024-bit key) email@example.com; dkim-adsp=none
The other half of the equation is DKIM signing my outbound mail, so that other people who do checks like this can verify/not-verify my email.
DKIM needs a public/private keypaid
# dkim-genkey -b 1024 -d hawaga.org.uk -s hampshire
-s specifies a selector name. This is a fairly arbitrary identifier used to identify this keypair, because a domain can have multiple keypairs (for example, one per mail server). In the
hawaga.org.uk domain, I seem to use names of English counties.
# ls hampshire.private hampshire.txt # cat hampshire.txt hampshire._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUP+5f0nEWyYICxr8rLN8xannlteBg4WF2Fat/MS8CiAa1lE2wgvhKYJJD/ydJ//5B9fBZAwSXTAq2ZCQYIfRf985Yip0BK80ECTlOunaSnMY/4/RzmkXGpndJaHIFqmSWDhML1yBP6W6owJDXIPDCAbV80kd5Z5aAkv8518lk+wIDAQAB" ; ----- DKIM hampshire for hawaga.org.uk
That .txt file is a DNS record to install under hawaga.org.uk. When you've installed it, you can check with:
dig -t txt hampshire._domainkey.hawaga.org.uk @localhost
That's the public key installed. Now the private key.
Domain hawaga.org.uk KeyFile /etc/mail/hampshire.private Selector hampshire
# /etc/init.d/dkim-filter restart
Now send out some mail to some other account. It should have a DKIM signature header added like this:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hawaga.org.uk; s=hampshire; t=1328349841; bh=hGo8Oadbgx3cVNwLr3hGDRfMX5LwWwXuz2PzqEowx0I=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=oBeSDSzxz7/awSnxuos6jyJuBoYH2MbiB3HDpbZfLQnTTdEJdx2WD0ubSVAaKAJmV ma5xuSaNGeS7X3Xg49obL6nWA89tiOeVAq9FO+7NP+v2DmUPFxEYkLeQJUANYKzAw/ r8ag9XnbRkxvY+J/rrmeaAjJdnfgUQlKSHlV5CWE=
... and if that other account happens to do DKIM verification, you should see its version of:
Authentication-Results: paella.hawaga.org.uk; dkim=pass (1024-bit key) firstname.lastname@example.org