Configure DKIM Signing and Verification Using Amavis

Domain Keys Identified Mail (DKIM, or Mail Identified through Domain Keys) is a cryptographic technology using which domain owners publish the public keys of public-private key pairs used for signing email messages. This allows third parties to establish a degree of confidence about the message originating from designated and duly authorized infrastructure. In other words, it’s a been there ribbon.

This article explains how to configure a Kolab environment to sign mail messages with DKIM and verify DKIM signatures on inbound email.

This article assumes the Kolab installation is a single-tenant, single-domain and single-system installation.

For distributed environments, verification is supposed to occur on the inbound mail exchanger infrastructure, and signing is supposed to happen on outbound mail exchanger infrastructure. For environments with multiple domains, each domain will need to be configured per the instructions below. For hosted environments (with an unpredictable and dynamic set of domain name spaces), it is recommended to consider using a fall-back key.

Generating a Domain Private Key

To generate a private domain key, execute the following commands;

# mkdir /etc/amavisd/dkim/
# chown root:amavis /etc/amavisd/dkim/
# chmod 750 /etc/amavisd/dkim/
# amavisd -c /etc/amavisd/amavisd.conf genrsa /etc/amavisd/dkim/ 4096

Examining /etc/amavisd/dkim/ will show it is an RSA private key. Please note that we include in the name of this file both the domain name as well as the key identifier.

Since the file is created as the root super-user, we need to make sure that Amavis has read access;

# chmod g+r /etc/amavisd/dkim/
# chgrp amavis /etc/amavisd/dkim/

Add DKIM Configuration to Amavis

Adding the key to Amavis requires two steps; adding the key to the configuration, and then configuring which sender domains are to be signed with that key.

To add the key to Amavis, edit /etc/amavisd/amavisd.conf and add the following lines:


To configure what sender domains to sign with this key, let’s start with the ‘’ sender domain. Add the following configuration;

@dkim_signature_options_bysender_maps = (
        "" => {
            d   => '',
            a   => 'rsa-sha256',
            ttl => 10*24*3600

Lastly, enable DKIM signing by supplying the following configuration;

$enable_dkim_signing = 1;

NOTE: Do not yet restart Amavis

Add Submission Service to Amavis

In order to distinguish between inbound and outbound mail, a policy should be used associated with a different socket. We’ll use port 10023 for this.

Replace the configuration for $inet_socket_port to reflect the new listener port;

$inet_socket_port = [10023, 10024];

Add the interface policy and policy bank;

$interface_policy{'10023'} = 'SUBMISSION';
$policy_bank{'SUBMISSION'} = {
    originating => 1,
    smtpd_discard_ehlo_keywords => ['8BITMIME']

NOTE: Do not yet restart Amavis

Now, edit /etc/postfix/ and find the submission service. Change it such that the following line is appended;

submission          inet        n       -       n       -       -       smtpd
    -o cleanup_service_name=cleanup_submission
    -o content_filter=smtp-amavis:[]:10023

Add DNS Records

The easiest methodology to ensure you have the correct DNS record that corresponds to the key you just generated is to use the following command;

# amavisd -c /etc/amavisd/amavisd.conf showkeys
; key#1 4096 bits, i=dkim20180723,, /etc/amavisd/dkim/ 3600 TXT (
  "v=DKIM1; p="

The output can just be copy/pasted in to a BIND 9 zone file if so desired. Let’s not forget to bump the serial for the zone and once loaded and live, check the new Amavis configuration with the following command:

# amavisd -c /etc/amavisd/amavisd.conf testkeys

Enable DKIM Verification

The simplest part of this exercise is to enable DKIM verification. Edit /etc/amavisd/amavisd.conf and supply a setting as follows;

$enable_dkim_verification = 1;

Restart Amavis & Postfix

Now, we can restart Amavis and Postfix;

# systemctl restart amavisd postfix

NOTE:  DKIM signatures will be added only to messages sent through the SMTP submission service on port 587 with STARTTLS and authentication enabled.

Posted in Guides and tagged , , , , .