Candidate for Deletion
This article may not be appropriate for this wiki, and may be deleted. More info...


DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. DomainKeys was originally developed by Yahoo! and has since been superseded by a newer protocol called DomainKeys Identified Mail Postfix/DKIM. DomainKeys has been deprecated and should no longer be used. dk-milter is unmaintained and it's author recommends it no longer be used due to significant bugs.

DomainKeys is very similar in most respects to Postfix/DKIM's operation.

Read more on Wikipedia

dk-filter implements a Sendmail Mail Filter (Milter) for the DomainKeys standard. DomainKeys provides a way for senders to confirm their identity when sending email by adding a cryptographic signature to the headers of the message.

The dk-milter implements both DomainKeys signing and verification.


We assume you already successfully installed Postfix MTA, if not, please read the Postfix dedicated page.

To install dk-filter, you need Universe repositories added, if so, use your favorite package manager and install the package. For example:

sudo aptitude install dk-filter

Simply accept the defaults if the installation process asks questions. The configuration will be done in greater detail in the next stage.

Generating signing keys

You can generate a public and private key pair which will be used in signing and verifying mail using the following:

openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key -pubout -outform PEM

You can then move it to a more secure location:

cp private.key /etc/mail/domainkey.key


dk-filter configuration consists of a single file: /etc/default/dk-filter

In this example configuration, we'll assume your domain is domain.tld and your selector is mail:

# Sane defaults: log to syslog
# Sign for domain.tld with key in /etc/mail/domainkey.key using
# selector '2007' (e.g. 2007._domainkey.domain.tld)
DAEMON_OPTS="$DAEMON_OPTS -d domain.tld -s /etc/mail/domainkey.key -S mail"
# See dk-filter(8) for a complete list of options
# Uncomment to specify an alternate socket
#SOCKET="/var/run/dk-filter/dk-filter.sock" # default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
SOCKET="inet:8892@localhost" # listen on loopback on port 8892
#SOCKET="inet:12345@" # listen on on port 12345

The DAEMON_OPTS is the most important setting. For a full list of optional arguments you can pass to the dk-filter:

dk-filter --help

For instance, if you are configuring a 'smarthost' and need to allow other servers to connect to it to send mail, you can create a file with each allowed IP address per line. You then tell dk-filter about this list by passing it the '-i' argument. For example, if you create a file '/etc/default/ilist' with the following contents:

the DAEMON_OPTS setting would then become:

DAEMON_OPTS="$DAEMON_OPTS -d domain.tld -s /etc/mail/domainkey.key -S mail -i /etc/default/ilist"

This will allow mail sent by those IP addresses to be signed by the smarthost you are configuring.

Configuring DNS

You will need to create two TXT records in order for mail recipients to verify your signed mail. The DNS record should look like this:

_domainkey.domain.tld. IN TXT "t=y; o=~;

Where the "t=y" means that the domain is in test mode, actually that it is activated, and the "o=~;" means that only some mail is being signed from this domain. If you want to indicate that all mail is signed, use "o=-;".

mail._domainkey.domain.tld. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"

Where everything after p= is actually the content of the public key we generated above, public.key. Be sure to only copy the key string itself, leaving out these comments:



-----END PUBLIC KEY-------

The t=y value pair means that the domain is using this key in test mode, also that is activate.

Startup and testing

Now that dk-filter is configured, you need to restart the daemon:

/etc/init.d/dk-filter restart

If for some reason the daemon is not already running, you can simply start it:

/etc/init.d/dk-filter start

You can check the log file if everything is ok:

sudo grep -i dk /var/log/mail.log

Now, to tell the Postfix about the existing milter, and where to connect with it, edit your Postfix main.cf file /etc/postfix/main.cf, and append the following data:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

If you are already using another milter (for example Postfix/DKIM), you can append additional settings using a comma as a separator:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892

Now restart Postfix:

sudo /etc/init.d/postfix restart

For testing purposes, I recommend you tools like:

Testing results should look like this in Yahoo Mail: http://stas.nerd.ro/blog/data/dk-filter.png

Postfix/DomainKeys (last edited 2011-06-16 04:51:43 by 74-222-219-222)