15. Adding DKIM to your email server

In this video we improve our sent email score to 8.9/10 by adding a DKIM to our Raspberry Pi and DNS server. This is the third phase of work towards making our emails end up in our recipients inbox and not their spam box. The settings snippets I promise in the video is here. Please note that YouTube now has Markdown, so any text below starting with a # is considered a header. This clearly breaks the example settings, much of which contain #’s. So, please note every comment # has a \ in front of it that will need *removing*, so make sure you copy and past this into a text editor, remove the \’s at the start and then paste in. \# This is a basic configuration that can easily be adapted to suit a standard \# installation. For more advanced options, see (5) and/or \# /usr/share/doc/opendkim/examples/. \# Log to syslog Syslog yes \# Required to use local socket with MTAs that access the socket as a non- \# privileged user (e.g. Postfix) UMask 002 \# Sign for with key in /etc/dkimkeys/ using \# selector ’2007’ (e.g. ) \#Domain \#KeyFile /etc/dkimkeys/ \#Selector 2007 \# Commonly-used options; the commented-out versions show the defaults. Canonicalization simple Mode sv SubDomains no AutoRestart yes AutoRestartRate 10/1M Background yes DNSTimeout 5 SignatureAlgorithm rsa-sha256 \# Socket smtp://localhost \# \# ## Socket socketspec \# ## \# ## Names the socket where this filter should listen for milter connections \# ## from the MTA. Required. Should be in one of these forms: \# ## \# ## inet:port@address to listen on a specific interface \# ## inet:port to listen on all interfaces \# ## local:/path/to/socket to listen on a UNIX domain socket \# \#Socket inet:8892@localhost Socket local:/var/spool/postfix/opendkim/ \## PidFile filename \### default (none) \### \### Name of the file where the filter should write its pid before beginning \### normal operations. \# PidFile /var/run/opendkim/ \# Always oversign From (sign using actual From and a null From to prevent \# malicious signatures header fields (From and/or others) between the signer \# and the verifier. From is oversigned by default in the Debian pacakge \# because it is often the identity key used by reputation systems and thus \# somewhat security sensitive. OversignHeaders From \## ResolverConfiguration filename \## default (none) \## \## Specifies a configuration file to be passed to the Unbound library that \## performs DNS queries applying the DNSSEC protocol. See the Unbound \## documentation at for the expected content of this file. \## The results of using this and the TrustAnchorFile setting at the same \## time are undefined. \## In Debian, /etc/unbound/ is shipped as part of the Suggested \## unbound package \# ResolverConfiguration /etc/unbound/ \## TrustAnchorFile filename \## default (none) \## \## Specifies a file from which trust anchor data should be read when doing \## DNS queries and applying the DNSSEC protocol. See the Unbound documentation \## at for the expected format of this file. TrustAnchorFile /usr/share/dns/ \## Userid userid \### default (none) \### \### Change to user “userid“ before starting normal operation? May include \### a group ID as well, separated from the userid by a colon. \# UserID opendkim \# Map domains in From addresses to keys used to sign messages KeyTable refile:/etc/opendkim/ SigningTable refile:/etc/opendkim/ \# Hosts to ignore when verifying signatures ExternalIgnoreList /etc/opendkim/ \# A set of internal hosts whose mail should be signed InternalHosts /etc/opendkim/ And here... \# Milter configuration milter_default_action = accept milter_protocol = 6 smtpd_milters = local:/opendkim/ non_smtpd_milters = $smtpd_milters