DKIM and DMARC records

This is a quick guide to setup DKIM and DMARC records on your postfix-based ubuntu email server. I followed closely a guide from Julian Kunkel and am reproducing many steps from his post here. Despite the fact that he wrote his guide because he found some typos in other guides, his guide also had some.

I’ve been doing work on already working Ubuntu server (xenial, 16.04) with working postfix which I setup using that ArsTechnica article.

In the instructions I will use the placeholder <DOMAIN> for a full qualified domain such as You have to decide about a selector to use which basically provides means to use multiple keys, I use <SELECTOR> as placeholder, in my case, it is “mail”. <EMAIL> is an email where you like to receive errors (in case of DMARC).

Install DKIM tools:

Create public/private key pairs:


Configure opendkim, edit /etc/opendkim.conf (emacs/nano):

Create/edit /etc/opendkim/KeyTable – this file is basically a list of references to the key files, formated as follows:

For example:

Create/edit /etc/opendkim/SigningTable which defines the patterns for which email to use which key, it is a list:

For example:

In the /etc/opendkim/ there should also be a file TrustedHosts with only text “” (without quotes) inside.

Now secure the files:

Restart the opendkim service and check status:

Setup the public key in DNS, modify the DNS, add a TXT entry as follows:

  • Name: <SELECTOR>._domainkey
    • example: mail._domainkey
  • Value: the contents between (” and “) in the file /etc/dkimkeys/<DOMAIN>/<SELECTOR>.txt,
    • example v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxfxhoZwKV1gahzMYv2tvEVBtAFo8LgW/8GolHibkiCGqD7urRnUPUPj/RF72mkwz/RdX+o8XTAJKgGvw5eo9g6z3DPql1xKcZEbpcUSnGbpIGQODmnNEqixaScrlEVmgtjHJsm9++Upp4RRRo7309Zlvzh4bmIfVzubwNG3umYzuf6ct/RT1xyRLWXLh5LtOa/xBNfRhCoGjxlgufu9CUqQe9af8J3MY6t2PR63XUOxwwGNBrNAlGTKw8KDc9OKn/eYCOBM4XrWjwiAR3dIVQJPT3FfSKqZ2BrBmRVg0jUiwE0j7AB+wLN/Ixsbp/ByyprcnVDFyNiXzOhr17mVOMQIDAQAB

Test it with

Note that DNS updates may take a while depending on your TIL and provide. You should see the public key from above in the ANSWER SECTION.

Now setup postfix to utilize the installed opendkim, edit /etc/postfix/ so it should look something like:

Restart postfix with


DMARC includes a simple DNS change similar to SPF and DKIM. Add a TXT entry as follows

  • Name: _dmarc
  • Value: v=DMARC1; p=none; rua=mailto:<EMAIL>; ruf=mailto:<EMAIL>
  • example:
    v=DMARC1; p=none;;
  • This policy (p=none) will allow debugging, instructing that emails shall be send by mail servers providing status information about accepted and failes messages. Once everything works the policy can (should) be changed to “quarantine” or “reject” to tell every email server to reject emails that appear to stem from your domain but are not signed.

Test DNS again with dig:


Check that opendkim finds the publicly announced keys:


Check correct config from outside using these online tools:

Also try sending an email to some big email provider (like, khm, gmail) and look at the source (‘original message’).

Once everything works, you may want to remove the “ruf” property from the DNS _dmarc TXT field to reduce the number of messages you receive about failed delivery. You may also want to change the DMARC policy to “reject”. This minimizes the risk that email addresses from your server are spoofed and your domain is classified as source of spam…

More domains

To add more domains, these are the steps:

  • create folder in /etc/dkimkeys/<DOMAIN>, and move into it
  • generate keys with something like opendkim-genkey -t -s mail -d <DOMAIN>
  • add to /etc/opendkim/KeyTable something like and /etc/opendkim/SigningTable something like *
  • edit DNS records to add a TXT entry with name: mail._domainkey and value the contents of between (” and “) in the file /etc/dkimkeys/main.txt
  • also add another TXT entry with name: _dmarc and value: “v=DMARC1; p=none;” (change value after p= to quarantine or reject sometime soon)
  • test: