DomainKeys Identified Mail

Introduction to DKIM

DomainKeys Identified Mail or DKIM is a standard for signing email messages so that the recipient can verify the sender's email address. This allows recipient mail servers to detect sender address forgery, which is often used by spammers to avoid sender domain blacklists. Signing is done with a private key on the senders server, which matches a public key added to in the sender's DNS domain. The recipient can lookup this key at the domain in the From address, and use it to ensure that the email signature was created using the corresponding private key, which proves that the message was really sent from that domain.

Virtualmin uses a milter to implement DKIM signing and verification. This is background process that the Postfix or Sendmail mail server sends messages to for modification before they are sent to their final destination. Any email relayed through the Virtualmin system (either from a web-based mail read or a client like Outlook or Thunderbird) will have a signature added by the DKIM milter, as long as it is from a domain for which DKIM is enabled.

Only Virtualmin versions 3.81 and later support DKIM.

Installing DKIM Packages

Virtualmin supports the configuration of DKIM on Debian, Ubuntu, Fedora, CentOS and Redhat Enterprise systems, as these distributions provide the required DKIM milter package. The simplest way to install this is as follows :

  1. Login to Virtualmin as root and go to Email Messages -> *DomainKeys Identified Mail**.
  2. Assuming that the required packages are not installed already, Virtualmin will display an error message about the missing configuration DKIM file. Click the Install Now button to have the appropriate package downloaded and installed.

Installation can also be done from the command line. On Debian or Ubuntu, the command is :

apt-get install dkim-filter

while on CentOS, Fedora or Redhat Enterprise you will need to run :

yum install dkim-milter

Enabling DKIM in Virtualmin

To enable DKIM signing of outgoing email messages, follow these steps :

  1. Login to Virutalmin as root and go to Email Messages -> DomainKeys Identified Mail
  2. Change Signing of outgoing mail enabled? to Yes.
  3. In the Selector for DKIM record name field enter a short name that you will use to identify the signing key. This is typically just the current year, like 2010. Do NOT enter default, as this can trigger a bug in the current Virtualmin release which deletes the /etc/default directory!
  4. Click the Save button.

Assuming all goes well, Virtualmin will report the steps taken to configure and enable DKIM.

Only virtual servers that have both the DNS and email features enabled will have DKIM activated, as the mail server needs to be setup to use a private signing key whose corresponding public key is added to DNS.

By default, Virtualmin will also configure the DKIM milter to verify incoming email that has the proper signatures. DKIM-signed messages where the signature is incorrect or cannot be checked with a DNS lookup will be bounced or delayed. If you want to disable verification, set the Verify DKIM signatures on incoming email? option to No.

To turn off DKIM signing completely, just do the following :

  1. Login to Virutalmin as root and go to Email Messages -> DomainKeys Identified Mail
  2. Change Signing of outgoing mail enabled? to No.
  3. Click Save.

This will remove the public key from all domains, and stop your mail server from signing messages with the DKIM milter.