Here is a step by step guide to configure OpenDKIM with Postfix on Debian 12 bookworm.

We're gonna modify default configuration files to keep only minimal or required settings.

Install openDKIM

sudo apt-get install opendkim opendkim-tools

Configure openDKIM

/etc/default/opendkim

echo -e '# Legacy configuration file for opendkim
RUNDIR=/run/opendkim
SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"

USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=
' > /etc/default/opendkim

/etc/opendkim.conf (see opendkim config for details).

echo -e '# OpenDKIM configuration
AutoRestart             Yes
AutoRestartRate         10/1h
Syslog                  Yes
SyslogSuccess           Yes
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              no

UserID                  opendkim
UMask                   002

Socket                  local:/var/spool/postfix/var/run/opendkim/opendkim.sock
PidFile                 /run/opendkim/opendkim.pid
TrustAnchorFile         /usr/share/dns/root.key
Nameservers             8.8.8.8,1.1.1.1

# Map domains in From addresses to keys used to sign messages
KeyTable                refile:/etc/opendkim/key.table
SigningTable            refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList      /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts           /etc/opendkim/trusted.hosts
' > /etc/opendkim.conf

Operating Mode is sv: s (signer) and v (verifier) and we're gonna sign From header (OversignHeaders).

Create Signing Table, Key Table, and Trusted Hosts File

All domain DKIM keys are stored in /etc/opendkim/keys.

sudo mkdir -p /etc/opendkim/keys
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys
sudo touch /etc/opendkim/key.table
sudo touch /etc/opendkim/signing.table

sudo echo "127.0.0.1
localhost
" > /etc/opendkim/trusted.hosts

sudo mkdir -p /var/spool/postfix/var/run/opendkim
sudo chown opendkim:opendkim /var/spool/postfix/var/run/opendkim

Configure Postfix

Add to /etc/postfix/main.cf

# OpenDKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Since Postfix runs with CHROOT, then the config paths are relative to that.

Add postfix user to opendkim group

sudo usermod -a -G opendkim postfix

Restart OpenDKIM and Postfix

sudo service opendkim restart
sudo service postfix restart

OpenDKIM Key Generator

Let's add a helper for adding new keys for hosted domains.

Note: our script is using mail as DKIM selector. You can updated it with your own chosen selector.

nano /usr/local/sbin/generate-dkim-for-domain

#!/bin/bash
# /usr/local/sbin/generate-dkim-for-domain

die () {
    echo >&2 "$@"
    exit 1
}

[ "$#" -eq 1 ] || die "1 argument required, $# provided, domain name required, ex: ./script example.com"

selector="mail"

cwd=`pwd`
opendkim="/etc/opendkim"
location="$opendkim/keys/$1"

[ -d "$location" ] && die "There is already a directory in the folder, delete the folder if you want to create a new one!"

mkdir -p "$location"
cd "$location"

opendkim-genkey -b 1024 -d $1 -s $selector
chown opendkim:opendkim *
chown opendkim:opendkim "$location"
chmod u=rw,go-rwx *

echo "$selector._domainkey.$1 $1:$selector:$location/$selector.private" >> "$opendkim/key.table"
echo "*@$1 $selector._domainkey.$1" >> "$opendkim/signing.table"
echo
echo "Add this record in DNS ZONE for domain: $1"
echo
cat $location/$selector.txt
echo
cd $cwd

service opendkim restart

Lets make it executable:

chmod +x /usr/local/sbin/generate-dkim-for-domain

Usage for example.com domain: /usr/local/sbin/generate-dkim-for-domain example.com

Here is the oputput:

/usr/local/sbin/generate-dkim-for-domain example.com

Add this record in DNS ZONE for domain: example.com

mail._domainkey IN  TXT ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0kl18naNbBBX7J+8yCjUnNdErcEV2QA4ZJ+glfN5NBnTxKs4TlGgSy4W4co9QDi+/nXGD2FGf2s8NLPeyJ6xNpAKF3MNcHiwDPQAYCrWYgw+bw7SGMMDRlNR7Wi09fZbuIBWs8iWu/4IQeCMxdCcJJ0sjXQ5IgybIZP3lSHGu6QIDAQAB" )  ; ----- DKIM key mail for example.com

Publish the record on mail._domainkey.example.com.

Send a test email and verify that your emails are signed with DKIM.

Notes:

  1. You should have a valid SPF Record for each domain.

  2. Also, you should define a DMARC record for each domain.

Have a nice day :)