I love opensmtpd. But as I’ve never set up a mail server before, some things are hard. DKIM was one of them. Below is what I now use on four servers and all work perfectly:


Ryan Kavanagh @ Debian

Martijn van Duren @ OpenBSD


This is a guide to using filter-dkimsign on Debian 10. It took a bit of effort to get it working and the following is as much for my help as anyone else’s.

Note: this is for an outgoing only mail server

Install the requirements

root@server:/home/simon/src# apt install libevent-dev libssl-dev mandoc

Grab the files from here:

root@server:/home/simon/src# wget https://simonh.uk/files/src/libopensmtpd-0.7.tar.gz
bc. root@server:/home/simon/src# wget https://simonh.uk/files/src/filter-dkimsign-0.5.tar.gz

Extract both packages using tar xvf <each_file>

cd into libopensmtpd first and run

root@server:/home/simon/src/libopensmtpd-0.7# make -f Makefile.gnu

You should get no errors.

root@server:/home/simon/src/libopensmtpd-0.7# make -f Makefile.gnu install

Now, cd into ../filter-dkimsign-0.5 and run the two make commands as above.

Next, we’ll create the group and user _dkimsign

root@server:~# addgroup _dkimsign --force-badname 
Allowing use of questionable username.
Adding group `_dkimsign' (GID 1001) ...

Now add the _dkimsign user to that group

root@server:~# useradd _dkimsign -g _dkimsign

Create the directory to save your private key with the correct permissions:

root@server:~# install -d -m 770 -o _dkimsign -g _dkimsign /etc/mail/dkim

Log out as the root user with exit and run:

simon@server:~/src [ssh] $ sudo -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 1024

That has generated and saved our private key. Run below to get the public key that we’ll save in our DNS records:

simon@server:~/src [ssh] $ sudo openssl rsa -in /etc/mail/dkim/private.rsa.key -pubout |     sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;'
writing RSA key

Copy the long line beneath “writing RSA key”, like so:


You need to save that in your DNS record section at you domain registrar as a TXT record.

Following (seemingly) popular advice, I use today’s date 20210622._domainkey. The part before the . (dot) is called the selector. We’ll come back to that in a minute.

Next, we’ll add the filter to our /etc/smtpd.conf making sure to replace -d yourdomain.com and -s 20210622 with your domain and your selector!

filter dkimsign proc-exec "filter-dkimsign -d yourdomain.com -s 20210622 -k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign

listen on socket filter "dkimsign"
listen on localhost filter "dkimsign"

Do a quick check that we have no syntax errors:

root@server:/home/simon/src# smtpd -n
configuration OK

Nearly there now! We’ll restart and check that opensmtpd has no errors:

root@server:/home/simon/src# systemctl restart opensmtpd
root@server:/home/simon/src# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
   Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset
   Active: active (running) since Wed 2021-06-23 15:11:43 BST; 5s ago
     Docs: man:smtpd(8)
  Process: 10351 ExecStart=/usr/sbin/smtpd (code=exited, status=0/SUCCESS)
 Main PID: 10352 (smtpd)
    Tasks: 9 (limit: 1148)
   Memory: 10.0M
   CGroup: /system.slice/opensmtpd.service
           ├─10352 /usr/sbin/smtpd
           ├─10353 smtpd: klondike
           ├─10354 smtpd: control
           ├─10355 smtpd: lookup
           ├─10356 smtpd: pony express
           ├─10357 smtpd: queue
           ├─10358 smtpd: scheduler
           ├─10359 /usr/sbin/smtpd
           └─10361 /usr/libexec/opensmtpd/filter-dkimsign -d yourdomain.com -s 20210622 

Jun 23 15:11:43 server systemd[1]: Starting OpenSMTPD SMTP server...
Jun 23 15:11:43 server smtpd[10351]: info: OpenSMTPD 6.6.4p1 starting
Jun 23 15:11:43 server systemd[1]: Started OpenSMTPD SMTP server.

You can see in the last line, that filter-dkimsign is running

Finally, we’ll send an email to a gmail account and check that DKIM is a “PASS

root@server:/home/simon# echo uptime | mail somebody@gmail.com

Check your gmail account by clicking on the three dots next to reply and click “Show original”. If all went well, you’ll see DKIM at the bottom and “PASS with domain” next to it:

DKIM pass at gmail

Following these instructions, you should be DKIM friendly in about ten or fifteen minutes!

Any issues feel free to send me an email, or sign up for the opensmtpd mailing list here (subscribe to the misc one).