DKIM stands for DomainKey Identified Mail. It is useful to help reduce the probability that your mail is going to be tagged as spam. DKIM is currently used by many email provider like Google and YAhoo. See www.dkim.org for more information.
DKIM is not included with Zimbra. But since Zimbra use Postfix , it’s rather simple to enable it.
Here how I have done it :
First, install the RPM (replace i386 with x86_64 if you are running on a 64 bits OS) :
#rpm -ivh http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.3-1.i386.rpm
Generate our key :
#cd /etc/dkim-filter
#dkim-genkey -b 1024 -d example.com -s default
Make sure that we have the rights permissions :
#chown dkim-milt *
#chmod 600 *
Add the following lines at the end of /etc/dkim-filter.conf :
Selector default
Domain example.com
KeyFile /etc/dkim-filter/default.private
In the same file, make sure the follwing line is commented (that line could be used if you have multiple domain):
#KeyList /etc/mail/dkim/keylist
Add the following line in /etc/mail/dkim/trusted-hosts (This will make sure that outgoing mail are tagged with DKIM headers):
127.0.0.1/32
Start DKIM and make sure it will be started on next reboot :
#/etc/init.d/dkim-milter start
#chkconfig dkim-milter on
In the previously generated file/etc/dkim-filter/default.txt, you have the entry that you have to add to your DNS server :
default._domainkey IN TXT « v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY7Lgaeyh6uoRGTOlZI0+5psR2GXB8pUUhsy8M94miy8qnk1nZHvQd+vfo+rfRxdgD4muBDMPOo5yPlcnIRb1uI4g+r0Ztz07KSKvw6PpEyCTqB97n69UFvnnDNcnoJlmhLSivxGGS7qPU1KgD3OCsKYiB4ONuTuWShfueiZPDdQIDAQAB » ; —– DKIM default for example.com
Depending on where your DNS is hosted, you can simply add that line in your DNS config files or see this document on how to do that with different providers.
The final step is to tell Postfix to use DKIM :
Add or replace the following lines in /opt/zimbra/postfix/conf/master.cf.in
-o smtpd_milters=inet:localhost:20209
-o milter_default_action=accept
-o disable_mime_output_conversion=yes
-o non_smtpd_milters=inet:localhost:20209
Finally, restart Zimbra MTA so that the change take effect :
# su – zimbra
$zmmtactl restart
If you want to test that everything is correctly setup, send an email to « autorespond+dkim-relaxed@dk.elandsys.com », you shoul get an email within a few minutes with the following line :
DKIM Signature validation: pass (1024-bit key)
Once you get that, everthing is working as expected!
The following setup has been tested on CentOS 5.4 and Zimbra 5.0.16 but it should also work with Zimbra 6.x.
Update (July 24 2010) :
Here are a few more tipts to troubleshoot your DKIM installation :
Make sur your outgoing mail are being tagged, everytime a mail is sent there should be a line like this in your /var/log/zimbra.log :
Jul 24 20:11:13 mail dkim-filter[5351]: 2875014C024 « DKIM-Signature » header added
Make sur your TXT entry is correct, you shoud be able to test it with the host command. The syntax would be : $host -t txt <name of your key>.<domain name>
In my exemple, that would be : $host -t txt default._domainkey.example.com
Or for gmail.com : $host -t txt gamma._domainkey.gmail.com
25 mai 2010 at 23 h 05 min
Hi I just wondering if this setup also apply on this version dkim-milter-2.8.3-1.x86_64.rpm, I tried to follow your guide but seems different. Also I have to domain mail server how can I setup it?
26 mai 2010 at 9 h 03 min
I follow your guide and already configure multiple domain… but not successful…
DKIM Signature validation: not available
DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.mydomain.com
I have corrent reverse dns and spf….
26 mai 2010 at 9 h 14 min
I’m back again I just observe when I try to restart zmmtactl
-o smtpd_milters=inet:localhost:20209
-o milter_default_action=accept
-o disable_mime_output_conversion=yes
-o non_smtpd_milters=inet:localhost:20209
none of these is save on master.cf
26 mai 2010 at 16 h 34 min
It should work with x64 with no problem, but I haven’t tested.
You should set it in master.cf.in, that’s my mistake. master.cf gets overwritted everytime zimbra restart.
You could also try to put the followings lines in main.cf :
smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_default_action = accept
You dont’t need both, just one.
If it works, you should see the following entry in zimbra.log everytime a mail is sent :
« DKIM-Signature » header added
26 mai 2010 at 19 h 41 min
Thanks for the preply… how can I setup 2 domain like domain1.com domain2.com, also once I edit master.cf I don’t need to restart $zmmtactl restart
26 mai 2010 at 20 h 05 min
For multiple domain, instead of using the Keyfile parameter, you will have to use the Keylist parameter and specify the keyfile for each domain.
26 mai 2010 at 20 h 30 min
Thanks for the reply again… just wondering I have 4 main.cf
/opt/zimbra/postfix-2.4.7.5z/conf/main.cf
/opt/zimbra/postfix-2.6.5.2z/conf/main.cf
/opt/zimbra/postfix-2.6.5.2z/conf/main.cf.default
/opt/zimbra/postfix-2.6.5.2z/libexec/main.cf
Do I need to edit them all and append
mtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_default_action = accept
Also after apply this do I need to restart zimbra server or just $zmmtactl restart
Thanks
26 mai 2010 at 21 h 03 min
Just the one in /opt/zimbra/postfix/conf/main.cf
/opt/zimbra/postfix/ should be a symlink to your current postfix version.
$zmmtactl restart should be enough.
26 mai 2010 at 21 h 12 min
Thanks… now have to try… let you know if it work….
26 mai 2010 at 21 h 20 min
Hi, I’m back after restart and tail zimbra logs… I have this error.
warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success
26 mai 2010 at 21 h 29 min
Error logs…
May 27 10:23:09 ns2 postfix/smtpd[22218]: warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success
May 27 10:23:09 ns2 dkim-filter[3835]: terminated with signal 8, restarting
May 27 10:23:09 ns2 postfix/cleanup[22222]: CC62E21E89FC: message-id=
May 27 10:23:09 ns2 dkim-filter[22223]: Sendmail DKIM Filter v2.8.3 starting (args: -x /etc/dkim-filter.conf)
26 mai 2010 at 21 h 58 min
Ok after some research I found this…
[Incompat 20090428] The default milter_protocol setting is increased
from 2 to 6; this enables all available features up to and including
Sendmail 8.14.0. The new milter_protocol setting may break
compatibility with older Milter libraries or applications, and may
cause Postfix to log warning messages such as:
warning: milter inet:host:port: can’t read packet header: Unknown error : 0
warning: milter inet:host:port: can’t read packet header: Success
warning: milter inet:host:port: can’t read SMFIC_DATA reply
packet header: No such file or directory
To restore compatibility, specify « milter_protocol = 2″ in main.cf.
Now I did change milter_protocol = 2
Now this what error I have now….
May 27 10:53:22 ns2 dkim-filter[22864]: D1B8121E8A5B: no signature data
26 mai 2010 at 22 h 16 min
I found error if milter_protocol = 2 is set to main.cf all incoming is rejected… I’m still stock with this error warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success
27 mai 2010 at 3 h 42 min
« DKIM-Signature » header after many times of trial and error I get this on my zibmra log… if I try to add this on main.cf milter_protocol = 2… but problem is zimbra mail can no longer received any email…. If I remove milter_protocol i’m back to this problem milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success
please help…
30 mai 2010 at 2 h 31 min
How to fix this error can’t read SMFIC_DATA reply packet header: Success
31 mai 2010 at 18 h 23 min
I really have no idea how to fix this error sorry.
24 juillet 2010 at 18 h 44 min
Hi,
I have done all things in this tutorial, and I everything seems to be fine, but every time I send an email to the dkim test account: « »autorespond+dkim-relaxed@dk.elandsys.com »"
I got this:
DKIM Signature validation: not available
DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.metatron.com
So I use EasyDNS, and I have create a TXT record like this:
v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBzDGZz/TUNjKQgbInsM8cJGABwTqIrXSMsouHETkeZAZqE0XAVXEAIsqdY8MGkP24Xhy8HykgZIHeDzn G3jPlADiaHjQcmoqW7lcM+fCFrtSlOQRqK0dVLPmwXBxxUla9LNxKjo0Gj5CNGPThlWzhH53mw6itRqKeIiVo5KQmzwIDAQAB
Is that right???, what else i need to do??
Regards
24 juillet 2010 at 19 h 32 min
Hello,
There is someting wrong with your DNS entry. I think the « TXT name » is missing.
The following command should return your DKIM signature :host -t txt _adsp._domainkey.metatron.com
But it does not.
24 juillet 2010 at 19 h 50 min
I updated the article by adding a few tips at the bottom of the article to help people troubleshoot their DKIM issue.
26 juillet 2010 at 10 h 54 min
Well, I made a mistake my full default.txt is the next:
default._domainkey IN TXT « v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
CBiQKBgQDmGqJ5XDG50kq73j+QbDtmQXWzZAyTg9i3YIYQyiX3+xw8+Nj3D1KMQRx4do0ubFU+e0JsNS
9Zilo5VyQHSPoc9z1HiUEJHBloiy0K8uWT8YqYSYpTp5kQLegVtWWgHwer7zFGZNwdoW8LXTYalGC3ii
1Kiqy8HYhp+rDTNEz4dQIDAQAB » ; —– DKIM default for metatron.com
And In EasyDNS (my DNS provider) only allow me to set 2 fiels:
« hostname » & TXT record, so what I did was the next:
hostname: smtp.metatron.com
TXT: v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
CBiQKBgQDmGqJ5XDG50kq73j+QbDtmQXWzZAyTg9i3YIYQyiX3+xw8+Nj3D1KMQRx4do0ubFU+e0JsNS
9Zilo5VyQHSPoc9z1HiUEJHBloiy0K8uWT8YqYSYpTp5kQLegVtWWgHwer7zFGZNwdoW8LXTYalGC3ii
1Kiqy8HYhp+rDTNEz4dQIDAQAB
¿¿ From which part of the default.txt file i have to put in the TXT record??
**** And second one, I was seeing in my zimbra logs the same problem reported by Ronlad:
« » can’t read SMFIC_DATA reply packet header: Success « »
What I am going to do is try to upgrade my sendmail version to 8.14, I am using Centos 5.5 and sendmail version is: « sendmail-8.13.8-8.el5″
¿¿ Does any body has found how to solve can’t read SMFIC_DATA issue??.
Best Regards
Edgar T.
27 juillet 2010 at 8 h 07 min
I’m not really familiar with easydns, but try to fill the hostname field with the following : default._domainkey.metatron.com
If it does not work, try to fill it with default._domainkey
What you put in the TXT field is correct.
What version of Zimbra are you using ? I’m guessing that people that are getting the SMFIC_DATA error are using Zimbra 6 ?
3 septembre 2010 at 18 h 14 min
Hello, can you tell me where I should put the DKIM configuration in master.cf? Give your master.cf
3 septembre 2010 at 18 h 30 min
I can’t. Simply because I no longer set it in master.cf.in, so I don’t have any working example.
I find it to be easier to set it up in main.cf.
You just need to add those 3 lines at the end of main.cf :
smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_default_action = accept
3 septembre 2010 at 20 h 14 min
Hello, can you tell me where I should put the DKIM configuration in master.cf? Give your master.cf
15 septembre 2010 at 2 h 17 min
Edit /etc/default/dkim-filter in the Socket line to work:
SOCKET= »inet:20209″
That’s the problem and not the main.cf: you just need add the tree comands in the end of the file (no secrets here).
18 septembre 2010 at 14 h 22 min
Salut, Étienne. I was able to successfully set up DKIM on CentOS using OpenDKIM (based on dkim-milter). I wrote a HowTo on my blog here. Hopefully it can help some others trying to do this same setup. Ciao!
21 septembre 2010 at 14 h 02 min
Hi,
Before of all thanks for this great document, my Zimbra server is working properly with DKIM.
Now i have an issue about milter (milter-reject), I have been receiving this message:
milter-reject: END-OF-MESSAGE from mail-qw0-f52.google.com[209.85.216.52]: 4.7.1 Service unavailable – try again later; from= to= proto=ESMTP helo=<mail-qw0-f52.google.com.
I know that this is because spam scores that I have defined, My question is ¿ Is there some kind to permit that the email that I am sending from gmail to arrive into the Inbox an not be discarted?
I have test many whitelist in Zimbra, but with not success.
Regards.
Edgar T.
30 novembre 2010 at 9 h 53 min
Hi Étienne,
Installed DKIM, and configured as suggested
But, its the same issue which others are facing:
Nov 30 19:54:23 mail postfix/smtpd[12232]: warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success
With No « « DKIM-Signature » header added »
Could You suggest anything
I am on zcs-6.0.8_GA_2661.RHEL5.20100820051652
Please help
Thanks
Subhranshu Dwivedi
6 octobre 2011 at 2 h 59 min
Hi
This is very help full for domainkeys configuration but
when try to download and install dkim package
show 404 Not Found please give any other link for this package download
I am waiting your positive response
Thanks
Kirtan Patel
26 décembre 2011 at 2 h 34 min
dkim-milter v2.8.3 was released in May 2009 and is no longer supported. As Steve Jenkins pointed out, its twin, which is still under active development and support, can be found at http://www.opendkim.org. See the RELEASE_NOTES in the latest release for a list of what’s changed since dkim-milter.