Setup DKIM keys with Sendmail


The purpose of this document is to enable DKIM keys setup on sendmail server so that email delivery into inboxes can be maximized.


DKIM is used by Gmail, Yahoo and AOL and many others, and also works by publishing public keys via DNS TXT records and by signing the emails at the email server. To setup DKIM, you need an additional filter which takes the completed email and adds the DKIM signature to the email prior to sending it out. Postfix and sendmail support “milters“, which is apparently short for “mail filter”. There is a DKIM-milter package available for Centos at the EPEL repositories

DomainKeys is an older version of DKIM (DomainKeys Identified Mail) developed by Yahoo. Despite having very similar names, these ARE NOT the same. Both DomainKeys and DKIM store public key information in DNS records and sign the message headers of every email sent. The recipient can then verify the signature.

DomainKeys was deprecated in 2007, but some email providers may still be using it. However, these are a shrinking minority and Yahoo does support the newer DKIM. Because of this we did not add DomainKeys support but opted only to use DKIM. So let’s start the configuration of DKIM with Sendmail.


  • Install dkim-milter on CentOS/Fedora/RHEL
yum install dkim-milter

If there is no package found from your present repositories then download & setup EPEL repository

  • Enable dkim-milter to run on startup
chkconfig dkim-milter on
  • Generate a Private Key
openssl genrsa -out default.private 1024

A “default.private” key file will be generated. It will be moved to a specific location later.

  • Generate a public key for this private key
openssl rsa -in default.private -pubout -out default.public -outform PEM

A file with filename “default.public” will be generated with content like



It will be used to create a DNS TXT record. See next step.

  • Create a DNS record of type TXT

Modify DNS records & add a record of type TXT:

TXT Record Name: default._domainkey
TXT Record Value: v=DKIM1; g=*; k=rsa; p=<content of default.public>

Note that the prefix “—–BEGIN PUBLIC KEY—–” and suffix “—–END PUBLIC KEY—-” should not be put in the TXT record value.

This DNS record will be retrieved by mail receivers who want to verify emails with DKIM signatures. The record name “default._domainkey” tells verifier that the “selector” of this signature is “default”, therefore if you are changing selector name to something else, make sure you change all of them consistently.

  • Move private key to appropriate location

As root, copy the private key to the location specified by the “keylist” (refer to next step) and make sure it is readable by dkim-milter:

mkdir /etc/dkim-milter/
mv default.private /etc/dkim-milter/default
chown dkim-milter.dkim-milter /etc/dkim-milter/default

Make sure the filename of private key file matches the “selector” name specified in the DNS record.

  • Add an entry to the keylist for dkim-milter to read

Add the following line to /etc/mail/dkim-milter/keys/keylist. Replace <> with your domain name.

  • Configure dkim-milter

Open configuration file /etc/mail/dkim-milter/dkim-filter.conf and use the following configuration:

cd /etc/mail/dkim-milter/
mv dkim-milter.conf dkim-milter.conf.default
vim dkim-milter.conf
Canonicalization simple
# Comma separated list of domains
KeyFile /etc/dkim-milter/default
Selector default
SignatureAlgorithm rsa-sha256
Socket local:/var/run/dkim-milter/dkim-milter.sock
Syslog Yes
Userid dkim-milter
SubDomains Yes
SyslogSuccess Yes
X-Header Yes

The X-Header and Syslog options are useful for debugging. See the config file, each option should be documented there.

  • Configure sendmail to use dkim-milter
cd /etc/mail
INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/dkim-milter/dkim-milter.sock')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl
  • Restart sendmail & dkim-milter
    /etc/init.d/sendmail restart
    /etc/init.d/dkim-milter restart



A reply email will be sent back to you with an analysis of the message’s authentication status. The report will perform the following checks: SPF, SenderID, DomainKeys, DKIM and SpamAssassin.


Leave a Reply

Your email address will not be published. Required fields are marked *