Creating Signing Table, Key Table, and Trusted Hosts File for OpenDKIM
OpenDKIM requires a signing table, key table, and trusted hosts file to configure and sign outgoing emails from your Postfix SMTP server. Here is a step-by-step guide to creating these files:
Step 1: Create Directory Structure Create a directory structure for OpenDKIM using the following commands:
sudo mkdir /etc/opendkim sudo mkdir /etc/opendkim/keys
Step 2: Change Owner and Permissions Change the owner of the /etc/opendkim directory and its subdirectories to opendkim using the following command:
sudo chown -R opendkim:opendkim /etc/opendkim
Then, make sure only the opendkim user can read and write to the keys directory using the following command:
sudo chmod go-rw /etc/opendkim/keys
Step 3: Create Signing Table Create the signing table file using the following command:
sudo nano /etc/opendkim/signing.table
Add the following two lines to the file:
*@your-domain.com default._domainkey.your-domain.com *@*.your-domain.com default._domainkey.your-domain.com
This tells OpenDKIM that any email from a sender with a @your-domain.com address or any subdomain of your-domain.com should be signed with the private key identified by default._domainkey.your-domain.com.
Save and close the file.
Step 4: Create Key Table Create the key table file using the following command:
sudo nano /etc/opendkim/key.table
Add the following line to the file:
default._domainkey.your-domain.com your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private
This line tells OpenDKIM the location of the private key.
Save and close the file.
Step 5: Create Trusted Hosts File Create the trusted hosts file using the following command:
sudo nano /etc/opendkim/trusted.hosts
Add the following lines to the file:
127.0.0.1 localhost .your-domain.com
This tells OpenDKIM that any email coming from localhost or from the same domain should only be signed, but not verified.
Save and close the file.
Note: Do not add an asterisk in the domain name like this: *.your-domain.com. There should be only a dot before the domain name.