DKIM and SPF support in YnH

EDIT LJF: Now Dkim and SPF are directly integrated in YunoHost 2.4


Please note that :

Changes in rev 2 :

  • Much easier to manage more than one DOMAIN.TLD (future proof)
  • Updated configuration as it seemed that the previous one was based on old software

So, here is the thing :

  • We start by installing the right software :

sudo aptitude install opendkim opendkim-tools

  • Then we configure opendkim

sudo nano /etc/opendkim.conf
(Text to be placed in the text file: )

AutoRestart Yes
AutoRestartRate 10/1h
UMask 022
Syslog yes
SyslogSuccess Yes
LogWhy Yes

Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable

Mode sv
PidFile /var/run/opendkim/
SignatureAlgorithm rsa-sha256

UserID opendkim:opendkim

Socket inet:8891@

Selector mail

  • Connect the milter to Postfix:

sudo nano /etc/default/opendkim

(Text to be placed in the text file: )

  • Configure postfix to use this milter:

sudo nano /etc/postfix/

(Text to be placed AT THE END in the text file: )
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:
non_smtpd_milters = inet:

  • Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys:

sudo mkdir -pv /etc/opendkim/keys/DOMAIN.TLD

  • Specify trusted hosts:

sudo nano /etc/opendkim/TrustedHosts

(Text to be placed in the text file: )

  • Create a key table:

sudo nano /etc/opendkim/KeyTable

(Text to be placed in the text file: Be very careful, it needs to be on a SINGLE LINE for each domain )
mail._domainkey.DOMAIN.TLD DOMAIN.TLD:mail:/etc/opendkim/keys/DOMAIN.TLD/mail.private

  • Create a signing table:

sudo nano /etc/opendkim/SigningTable

(Text to be placed in the text file: )
*@DOMAIN.TLD mail._domainkey.DOMAIN.TLD

  • Now we generate the keys ! :slight_smile:

sudo cd /etc/opendkim/keys/DOMAIN.TLD
sudo opendkim-genkey -s mail -d DOMAIN.TLD

  • Output the DKIM DNS line to the terminal. Then, we install it on our DNS server. My ZONE file looks like this. (Be very careful with the formatting, the “p=…” needs to be in a single line.

cat mail.txt

mail._domainkey IN TXT “v=DKIM1; k=rsa; p=AAAKKUHGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFrBM54eXlZPXLJ7EFphiA8qGAcgu4lWuzhzxDDcIHcnA/fdklG2gol1B4r27p87rExxz9hZehJclaiqlaD8otWt8r/UdrAUYNLKNBFGHJ875467jstoAQAB” ; ----- DKIM key mail for DOMAIN.TLD

  • And we don’t forget to put the right rights otherwise opendkim will get grumpy…

chown -Rv opendkim:opendkim /etc/opendkim*

  • And finally, we restart everything :
    sudo service opendkim restart
    sudo service postfix restart

  • To test if it is all working well (don’t forget that the DNS propagation can take a bit of take…) you can simply send an email to and a reply will be received. If everything works correctly you should see DKIM check: pass under Summary of Results.

Now, the SPF support.

This is much quicker and much simpler, we only have to add a line in the DNS such :

DOMAIN.TLD 300 TXT “v=spf1 a:DOMAIN.TLD mx ?all”

Edit I took into account comments from tebo (and Benjamin Sonntag somehow :wink: )


means, if an email wasn’t send from this domain, refuse-it.

I would suggest to use the flag


instead of “-all” in the spf configuration.
You don’t really know which smtp server people are using. So using “?all” flag will be more flexible and doesn’t broke your configuration.

Check this french conference for more details:


I took your comment into consideration and updated this How-to for both DKIM and SPF. This is now rev2.


I did a fresh install of YnH and followed this tutorial. It seems to work straight away so I rmoved the “WIP”. I pass both DKIM and SPF checks.

Hopefully it will be eventually integrated into the core soon :wink:



Excellent work !

It would be awesome to put all this nicely in a documentation page as well <3

Do you know if an app will be done and integrated soon ? :smile:

Actually it is not so easy to develop, as postfix configuration files do not support any include directive.

It is pretty easy to develop an app that adds the correct directives in, but any update of the yunohost-config-postfix package will overwrite them. Such tricky behavior will be possible in a future Yunohost version, but we really don’t have any date for it :wink:

We could eventually do something with a cron job, but that’s really hacking to me…

Yes, this is exactly my concern : keeping postfix conf clean.
I think the only neat solution is to have an app supported by yunohost.

Great mate ! thanks!

I did this DigitalOcean how to with success
+change into /etc/opendkim.conf
Canonicalization relaxed/simple
for Canonicalization relaxed/relaxed
like G**gle is

now my next question/challenge is to have an 2048bit key
because with this how to you finish with an 1024bit key

Anybody know where you interact with this parameter ?

Cheers to all!

Hi jodumont,

I found this on the Internet :


opendkim-genkey generates (1) a private key for signing messages using opendkim(8) and (2) a DNS TXT record suitable for inclusion in a zone file which publishes the matching public key for use by remote DKIM verifiers.


−b bits
(−−bits=n) Specifies the size of the key, in bits, to be generated. The default is 1024 which is the value recommended by the DKIM specification.

So, when you use the opendkim-genkey command, you could add the option -b 2048

However, it is also written that the specification advises to use the standard 1024 bit key.

@maxime thanks for sharing your knowledge and your research :smiley_cat:
in this case, the key is for authentification, so we must go with the flow :wink:

Hi, I’m wondering if you would consider this application stable. I’m having trouble with spam and I wanted to solve this problem.

Also, I don’t quite guet why this cannot be included as default configuration in the next yunohost releases.