Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7

OpenDKIM is method to digitally sign & verify emails on the mail servers using public & private keys. In other words opendkim implements the DKIM (DomainKeys Identified Mail) standard for signing and verifying email messages on a per-domain basis. DomainKeys are implemented to reduce the chances of outgoing mails to be marked as SPAM.

In this post we will demonstrate how to install & configure DomainKeys with postfix (MTA) on CentOS 7, i am assuming Postfix is already installed with following domain and hostname.

  • Hostname =
  • Domain =

Also Read : How to install and Configure Postfix Mail Server on CentOS 8

Step:1 Set EPEL Repository using below rpm command

OpenDKIM package is not available in the default yum repositories but available in CentOS 7 EPEL repositories.

[[email protected] ~]# rpm -Uvh

Step:2 Install OpenDKIM Package using yum

[[email protected] ~]# yum install -y opendkim

Step:3 Run below Command to create keys

Execute the below command to create public & private keys under folder “/etc/opendkim/keys

[[email protected] ~]# opendkim-default-keygen
Generating default DKIM keys:
Default DKIM keys for created in /etc/opendkim/keys.
[[email protected] ~]#
[[email protected] ~]# cd /etc/opendkim/keys/
[[email protected] keys]# ll
total 8
-rw-r----- 1 root opendkim 891 Nov 29 08:42 default.private
-rw-r--r-- 1 root opendkim 320 Nov 29 08:42 default.txt
[[email protected] keys]#

default.private is the private key for the domain and default.txt is public key that we will publish in DNS record (TXT) in the domain. A Selector ( default ) is created while generating keys, a selector can be unique keyword which is associated in keys and included in DKIM signature.

Step:4 Edit the Following Files :

  • /etc/opendkim.conf —- Config file of opendkim
  • /etc/opendkim/KeyTable —- As name suggest it defines the path of private key for the domain
  • /etc/opendkim/SigningTable — This file tells OpenDKIM how to apply the keys.
  • /etc/opendkim/TrustedHosts — This file defines which hosts are allowed to use keys.

Edit the file “/etc/opendkim.conf” & set the below parameters.


Edit the KeyTable file and replace the with your domain name.

[[email protected] ~]# cat /etc/opendkim/KeyTable
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
[[email protected] ~]#

Edit the SigningTable file and define who will sign the outgoing mails.

[[email protected] ~]# cat /etc/opendkim/SigningTable 
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.


As i am using * in above parameter which means all the users on domain are allowed to sign the emails.

Edit the TrustedHosts file , add Server’s FQDN and domain name below localhost ip (

[[email protected] ~]# cat /etc/opendkim/TrustedHosts 
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP ( should always be the first entry in this file.
[[email protected] ~]#

Step:5 Edit Postfix Config File (/etc/postfix/

Add the below lines at end of /etc/postfix/ file.

[[email protected] ~]# vi /etc/postfix/
smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Step:6 Start OpenDKIM & postfix Service

[[email protected] ~]# hash -r
[[email protected] ~]# systemctl start opendkim ; systemctl enable opendkim ; systemctl restart postfix
ln -s '/usr/lib/systemd/system/opendkim.service' '/etc/systemd/system/'
[[email protected] ~]#

Step:7 Update the TXT DNS record of your domain.

Use the output of default.txt and update the DNS Record (TXT) of the Domain.


Step:8 Send a Test email and view the logs.


Check whether email is signed or not.


Wow , Our email is signed and domainKeys configuration task is completed now.

24 thoughts on “Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7”

  1. How do you make a keygen for another domain besides whatever is returned by hostname?

    Also, how do you do this for multiple domains?

  2. After entering ‘cat /etc/opendkim/keys/default.txt’ I got a ‘DKIM key default for com’ and not my domain name at the end of the message.

    At the start when I ran the command ‘opendkim-default-keygen’, I got a message ‘Default DKIM keys for com created in /etc/opendkim/keys.’ instead of one with my domain name. There isn’t any step defined in your tutorial to change this.

  3. To me, step 3 is incomplete as no domain is being specified here.
    Maybe the use of these would be relevant (where is your domain name):
    mkdir /etc/opendkim/keys/
    opendkim-genkey -D /etc/opendkim/keys/ -d -s default
    chown -R opendkim: /etc/opendkim/keys/
    mv /etc/opendkim/keys/ /etc/opendkim/keys/

  4. Hi, I got a problem to start openDKIM. It comes out error for “Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied

    I try to change permission for 664. It seem not work. Do you have any idea and suggestion for solve this problem?

  5. I am baffled.
    I cannot get past your Step 2: “yum install -y opendkim”

    I get an error message:
    “No package opendkim available”

    Do you know why this is happening?

    • Hi Rodney,

      opendkim package is available in the epel repository. So first enable or configure epel repo in your system and then hit the above mentioned yum command.

  6. I have problem not authenticated but DKIM verification successful and no signing table match for but DKIM verification successful how to fix this problem?

  7. Our web server has a Thawte EV SSL certificate. Should I link to those keys or generate our own opendkim keys? How do I include the IntermediateCA.crt?

  8. Hi Pradeep,

    You have a small error – you have not removed the # from line 5 of the highlighted lines on step 4. This is for the “opendkim.conf”

    Regards 😉

  9. how send email without any relayhost

    #relayhost = []:587
    smtp_tls_security_level = encrypt
    header_size_limit = 4096000
    smtp_use_tls = yes
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
    smtp_sasl_security_options = noanonymous
    smtp_sasl_tls_security_options = noanonymous

    smtpd_milters = inet:
    non_smtpd_milters = $smtpd_milters
    milter_default_action = accept

    error when do that realy access denied

  10. The mail gets sent but it is not signed . The logs don’t show anything about dkim either. Dkim is running so i’m not sure why there are no errors displayed

  11. Ok I found the problem why it wasn’t signing, but now when checking the header in e-mail it says invalid format dkim-neutral

  12. I’m out of ideas. Any help would help. what is the selector i add to my dns.. for instance.. when i do a test both show vaild records so i’m not sure why i keep getting dkim=neutral (bad format) [email protected] header.s=default header.b=lQ1YkIEB;




    • Hi Robyir,

      When we install postfix then ‘/etc/postfix/’ file is created automatically.

      Could you please check your postfix installation once ?


Leave a Reply to Robyir Cancel reply