DomainKeys/DKIM Implementation on Zimbra+SLES 11 SP1 with OpenDKIM

Following tutorial will covers DomainKeys/DKIM implementation using OpenDKIM on SLES or openSUSE. Domain KeysIdentified Mail (DKIM) is a technology designed to make it difficult or impossible for criminals to steal the identities of legitimate organizations. This authentication technology allows good senders to “sign” a message to prove that it really did come from them..

DKIM originally written as sender authentication protocol developed in order to address the problem of forged email messages. Yahoo! released the DomainKeys specification and Cisco released the Internet Identified Mail specification. Both methods are based on cryptographic message signing. The two efforts have been merged, and the combined specification is known as DomainKeys Identified Mail (DKIM).
These are various options for implementing DomainKeys Signature : by using DK-Filter, DKIM-milter, OpenDKIM and also by using Amavisd-new DKIM implementation. Don’t be confused with all the terms. All method have similar function, signing your email as “trusted” or legitimate email.

Implementing OpenDKIM on openSUSE/SLES  for Zimbra Mail Server can be achieved with 5 easy steps :

  1. Installing OpenDKIM
  2. Configuring OpenDKIM
  3. Configuring DNS Records
  4. Integrating with Your Mail Server (in my case : Zimbra Mail Server)
  5. Testing & Verified DKIM Signature


Download and install OpenDKIM. I found a repo on openSUSE Community Repository, Webpin. RPM has build for openSUSE 11.2 but you may also install it on openSUSE 11.3 or SLES 11.
In case the original RPM removed from repos, I make a backup copy on my repo

wget -c
wget -c
zypper in *.rpm


  1. Create OpenDKIM configuration
    cp /usr/share/doc/packages/opendkim/opendkim.conf.sample /etc/opendkim.conf
    mkdir -p /etc/mail/dkim
  2. Modify  /etc/opendkim.conf to meet with your environment
    BaseDirectory /var/run/opendkim
    KeyFile /etc/mail/dkim/selector.private
    Mode sv
    Selector selector
    Socket inet:8891@localhost
    Syslog Yes
    SyslogFacility mail
    X-Header Yes
  3. Create selector and key for signing message
    opendkim-genkey -d -D /etc/mail/dkim -s selector
    cd /etc/mail/dkim
    chmod 440 selector.private

    The above command made  2 files : selector.txt &selector.private. selector.txt contain DNS records that we must insert into our DNS Server .

  4. Run openDKIM with following command :
    opendkim -x /etc/opendkim.conf


Open /etc/mail/dkim/selector.txt and copy it’s content into our DNS Server. If your public DNS managed by ISP, contact and ask them for inserting a TXT records into DNS Server for our domain.
Below are a sample of my DNS Server for domain :

# cat /var/lib/named/master/
$TTL 2d
@		IN SOA (
				2010122101	; serial
				3h		; refresh
				1h		; retry
				1w		; expiry
				1d )		; minimum	IN NS	IN NS   IN A		174.120.9.XXX	IN MX		0
ns1		IN A
mail		IN A
ns2		IN A   IN TXT          "v=spf1 a mx ~all"
selector._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIG29fMA0GCSqsdfsdfdsfdsfGSIb3DQEBAQUAA4GNADCBiQKBgQDJ5IZT5e5nvmkotroz5ylTlwU8yEEZ+v/576aI+w6TkbP4XibYxDsWVweXXtVeQQMMAAmw8AwYuK5R9b373Xqu+Hv9HNAJoAteKF/qlKcZc5Akhj5B7P1imXaurZkkIBp63yBZyZRralzQYNT3UrVB7M/xONMWXcU9xm7Zv1PzH1Y1OQIDAQAB"

Open terminal/konsole, login as Zimbra user (su – zimbra) and replace/add following line into  /opt/zimbra/postfix/conf/ :

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

Save and run reload command : postfix reload
After all step has been successfully executed, testing OpenDKIM by sending a blank email into or or or into your Gmail/Yahoo email account.
Below are a sample of response message from sendmail :

Authentication System:       DomainKeys Identified Mail
Result:                   DKIM signature confirmed GOOD
Description:              Signature verified, message arrived intact
Reporting host: 
More information:
Sendmail milter:

Respon from elandsys :

This is an automatic response.  Replies to this message will not generate
an automatic response.
Do not reply to this message except for reporting a problem.
The results are as follows:
DKIM Signature validation: pass (1024-bit key)

Response from Gmail

Received-SPF: pass ( domain of designates XXX.158.52.XXX as permitted sender) client-ip=XXX.158.52.XXX;
Authentication-Results:; spf=pass ( domain of designates XXX.158.52.XXX as permitted sender); dkim=pass
Received: from localhost (localhost [])
	by (Postfix) with ESMTP id 0E666DB0302
	for ; Wed, 22 Dec 2010 09:42:12 +0700 (WIT)
X-Virus-Scanned: amavisd-new at
Received: from ([])
	by localhost ( []) (amavisd-new, port 10024)
	with ESMTP id On3P3QqkyMM4 for ;
	Wed, 22 Dec 2010 09:42:11 +0700 (WIT)
Received: from ( [XXX.158.52.XXX])
	by (Postfix) with ESMTP id 56CC1DB0136
	for ; Wed, 22 Dec 2010 09:42:11 +0700 (WIT)
X-DKIM: OpenDKIM Filter v2.2.2 56CC1DB0136
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;
	s=selector; t=1292985731;

Leave a Reply

Your email address will not be published. Required fields are marked *