added support for DKIM in 2020. To configure this on my side, I had to do the following, on top of my email configuration.

  1. add this line to /etc/opendkim/signing.table:

    * marcos-debian.anarcat.user
  2. add this line to /etc/opendkim/key.table:


    Yes, that's quite a mouthful! That magic selector is long in that way because it needs a special syntax (specifically the .anarcat.user suffix) for Debian to be happy. The -debian string is to tell me where the key is published. The marcos prefix is to remind me where the private is used.

  3. generate the key with:

    opendkim-genkey --directory=/etc/opendkim/keys/ --selector=marcos-debian.anarcat.user --verbose

    This creates the DNS record in /etc/opendkim/keys/marcos-debian.anarcat.user.txt (alongside the private key in .key).

  4. restart OpenDKIM:

    service opendkim restart

    The DNS record will look something like this:

    marcos-debian.anarcat.user._domainkey   IN  TXT ( "v=DKIM1; h=sha256; k=rsa; "
    "pci5/2o/oKD05J9hxFTtlEblrhDXWRQR7pmthN8qg4WaNI4WszbB3Or4eBCxhUdvAt2NF9c9eYLQGf0jfRsbOcjSfeus0e2fpsKW7JMvFzX8+O5pWfSpRpdPatOt80yy0eqpm1uQIDAQAB" )  ; ----- DKIM key marcos-debian.anarcat.user for
  5. The "p=MIIB..." string needs to be joined together, without the quotes and the p=, and sent in a signed email to

    dkimPubKey: marcos.anarcat.user MIIB[...]
  6. Wait a few minutes for DNS to propagate. You can check if they have with:

    host -t TXT

    ( being one of the NS records of the zone.)

If all goes well, the tests should pass when sending from your server as


Test messages can be sent to dkimvalidator, or Those tools will run Spamassassin on the received emails and report the results. What you are looking for is:

If one of those is missing, then you are doing something wrong and your "spamminess" score will be worse. The latter is especially tricky as it validates the "Envelope From", which is the MAIL FROM: header as sent by the originating MTA, which you see as from=<> in the postfix lost.

The following will happen anyways, as soon as you have a signature, that's normal:

And this might happen if you have a ADSP record but do not correctly sign the message with a domain field that matches the record:

That's bad and will affect your spam core badly. I fixed that issue by using a wildcard key in the key table:

--- a/opendkim/key.table
+++ b/opendkim/key.table
@@ -1 +1 @@
+marcos %:marcos:/etc/opendkim/keys/marcos.private


This is a copy of a subset of my more complete email configuration.

Created . Edited .