One of the most common issues I see that affects my clients is the: “Yahoo/Gmail/Hotmail is sending all of my mail straight to the spam folder despite ‘insert usual DNS and config details here'” issues, so I spent some time researching a solution that would be relatively quick and painless to implement. I found it, but it only works with a straight postfix box. This will not work for Plesk servers, qmail, sendmail, etc. So if you’re running a centos or RHEL box with postfix and want DKIM/domainkeys signing? Here’s an article for you.

In particular, Yahoo seemed to be the most stringent defender of the DKIM/domainkeys/SPF rules (and thus a lot of spamming of mail going on), so…..Yahoo became sort of my “litmus” test for DKIM/domainkey/SPF configuration. If it works there, it is going to work everywhere else. This has also been generally true in my experience. Your mileage may vary.

Please note: This is NOT a cut and paste document. This is meant as a guide that should get you from point A to point B pretty painlessly. However, every dkimproxy install I’ve done has differed just slightly from one detail to another. So be prepared to do a little thinking on your feet. I’ve tried to include most of the “gotchas”, but there’s always something.

Prepare to install

This is actually the “hardest” part of the install for dkimproxy. It has varied for just about every system I’ve done to date and is purely a question of searching the DAG repositories for the RPMs you need to meet the base requirements of the required packages if it isn’t available via YUM.

So, to start with….you need to install the following RPMs:


As of May 30th, 2011 I found all of the above packages on yum for centos 5. RHEL 5 and earlier versions of both may still require a visit to DAG to get the packages that may not be available in those OS versions. Edit: 12/2011 – I just did this install on a RH ES5.6 server and all of the above perl rpms were in the epel-release. Edit: 8/2014 – I just did this on a Redhat 6.1, the packages were still there in both the base channel and epel-release for perl-Net-Server.

These installs could give you some dependency errors. As I said, it is a little different for each server (mostly due to a question of how long the server has been online and what has been installed on it and how old the OS is). Every requirement I’ve had to fill can be met by searching yum/up2date and/or the package list at DAG. Follow the chains and install the required packages. It is better for your system overall that you try to install any package from yum/up2date before you go trying to install a DAG rpm.

Once you have the base packages listed above installed (with no further dependency issues), you are ready to proceed onward.


Obtain and compile dkimproxy

Note! The wget statement below was current as of May 30th, 2011. It may have changed. Always go here and make sure you are downloading the most current version of DKIMproxy.

tar -xvzf dkimproxy-1.4.1.tar.gz
cd dkimproxy-1.4.1
./configure –prefix=/usr/local/dkimproxy
make install

Then we place the init script:

cp /etc/init.d/dkimproxy
chmod +x /etc/init.d/dkimproxy

and create the DKIM user:

useradd -d /usr/local/dkimproxy dkim
passwd -l dkim

From there, we create the Key:

cd /usr/local/dkimproxy/etc/
openssl genrsa -out domain.tld.key 1024
openssl rsa -in domain.tld.key -pubout -out

Obviously, replace domain.tld with the domain the client is wanting to sign. If they plan to sign multiple domains with a single key, this is fine and you may wish to make the key name more generic rather than domain specific.

Now create a DNS TXT record for mail._domainkey.domain.tld with the contents of Your public key will span at least two lines, so combine all of the lines of the key together when putting it in your DNS record. The whole DNS record will look something like this:

k=rsa; t=s; p=MFwwDQYJ..(snipped for space)….0JMCAwEAAQ==

I’ve shorted the key here for space/display reasons. It will be pretty long.

You can test to see if the key is working like this:

# host -ttxt mail._domainkey.domain.tls
mail._domainkey.domain.tld descriptive text “k=rsa\; t=s\; p=MFwwDQYJ……0JMCAwEAAQ==”

Now to set up the config files. Tell dkimproxy about the key files, and configuration parameters. Create /usr/local/dkimproxy/etc/dkimproxy_out.conf with this content

# specify what address/port DKIMproxy should listen on

# specify what address/port DKIMproxy forwards mail to

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain domain.tld

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile /usr/local/dkimproxy/etc/domain.tld.key

# specify the selector (i.e. the name of the key record put in DNS)
selector mail

Please note, if you are doing a multiple domain set up with a single key, you can list each domain as “domain domain1,domain2,domain3” a comma separated list.

Now copy the sample inbound config to the real inbound config

cd /usr/local/dkimproxy/etc
cp dkimproxy_in.conf.example dkimproxy_in.conf

Start the service

/etc/init.d/dkimproxy start
chkconfig dkimproxy on


Configuring Postfix to use DKIMproxy

You must add the following entries to the bottom of the /etc/postfix/ file:

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=
-o smtpd_authorized_xforward_hosts=

Then, depending on WHAT messages your client wants signed, you need to add the line

-o content_filter=dksign:[]:10027

to that part of the service. So, for example, if they want anything submitted to port 25 signed:

smtp inet n – n – – smtpd
-o content_filter=dksign:[]:10027

If they want script created mail to be signed:

pickup fifo n – n 40 1 pickup
-o content_filter=dksign:[]:10027

Mail to port 587 to be signed:

submission inet n – n – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

Note: The spacing before the -o is being pulled out by the blog software, even with the code tag. Look at how the rest of the entries in your file look and emulate that where the -o lines are indented. That matters! And a lack of such indenting will prevent postfix from working properly.

There’s obviously more there than just the dksign line, due to the nature of that port in that last one.

From there, reload postfix (make sure it starts and continues to be able to send mail. I tend to do both command line tests as well as pop/imap checks for the rack user).

service postfix reload


Testing DKIM signing

Now that all of that is in place, you can now do some tests.

The easiest way to do this, if the server is not doing any sort of mail redirection, is to set up the account in your mail client so you can both send the test messages as well as check and see the reply emails.

I use two primary tests. One, I send a mail (with any subject, any body) to This returns 4 (at the moment) test results. You can pretty easily see from these 4 messages what is working and what isn’t.

The second test I use is to check the SPF record, because most services will fail dkim/domainkeys if the SPF record is invalid for the sent mail. So send a test message to It will be rejected WITH the response, so watch the log file on the server to see if the SPF record passed correctly.

Finally, I create a php script to generate a mail to my yahoo account to see if it gets through with the DKIM/domainkey/SPF pass. You can use something like:

and invoke it via a browser or by the command line:

php /path/to/phpmail.php

Tweak and resolve any issues you came across in the testing until you get clean results for DKIM, Domainkeys, and SPF. At that point, I generally send an email to myself at my yahoo account. If you see the little key/lock icon on the “from” line of the email (and it isn’t in the spam folder)? You’ve successfully set up and configured DKIM/Domainkeys. If it IS in the spam folder? Check the header to see where to go next. As I said, the most common reason it fails is the SPF record in my experience.

Hopefully this article has been helpful at getting you to get your DKIMproxy install up and going.

Category: linux, mail

5 Responses to DKIMproxy with postfix on centos/rhel

  1. Kelv1n says:

    Great article, I don’t think you could have made it any easier, thanks.

  2. alex says:

    Glad it was of some help! 🙂

  3. Mark says:

    Awesome, this is very helpful. If I’m looking to setup multiple domains to use dkimproxy is it possible to specify multiple keyfiles in dkimproxy_out.conf? Thanks for posting this!

    • alex says:

      I tend to set mine up with all the domains using the same key on the same server (and that is pretty straightforward as you can see in my docs). If you’re looking to use different keys for each domain, I would guess you’d need different conf files for each, using different ports, but that is purely a guess. I’ve never done it myself.

  4. sateesh says:

    I configured samething as you shown steps, but when i start the service its showing
    Starting inbound DKIM-proxy (…done.
    Starting outbound DKIM-proxy (dkimproxy.out)…done.
    But in status showing not running

Leave a Reply


gives good tech
Kale is one of the smartest people I know

Racker Hacker
Major is always good for leet deetz