D
DKIM Creator

DKIM for Self-Hosted Mail Servers: Postfix, Dovecot & More

Generate DKIM keys for self-hosted mail servers. Complete setup guide for Postfix, Dovecot, Mail-in-a-Box, iRedMail, and other self-hosted email solutions.

Last updated: 2026-02-04

Running your own mail server means you're responsible for DKIM configuration. Unlike hosted services that manage keys for you, self-hosted setups require generating and installing keys yourself.

DKIM Creator generates keys locally in your browser. Your private key never leaves your machine—ideal for security-conscious self-hosted setups.

Why Self-Hosted Servers Need DKIM

Without DKIM, emails from your self-hosted server are more likely to:

  • Land in spam folders
  • Be rejected outright by major providers
  • Fail DMARC checks if you have a DMARC policy
  • Look suspicious to recipients

Major email providers (Gmail, Outlook, Yahoo) increasingly require DKIM for reliable delivery.

Generate Your DKIM Keys

1

Choose your selector

Pick a selector name for your key. Common choices: mail, default, or a date-based selector like 2026q1 for easy rotation.

2

Generate a 2048-bit key pair

Use DKIM Creator to generate keys. Choose 2048-bit for security. You'll get a private key (for your server) and a DNS record (for your domain).

3

Save the private key securely

Download the private key immediately. Store it securely—you'll need it for your mail server configuration.

Generate your keys now

Create DKIM keys for your self-hosted mail server. Keys are generated in your browser for maximum security.

Generate DKIM Keys

Postfix + OpenDKIM Setup

OpenDKIM is the most common DKIM implementation for Postfix.

Install OpenDKIM

# Debian/Ubuntu
sudo apt install opendkim opendkim-tools

# CentOS/RHEL
sudo yum install opendkim

Configure OpenDKIM

Edit /etc/opendkim.conf:

Syslog                  yes
UMask                   007
Domain                  yourdomain.com
Selector                mail
KeyFile                 /etc/opendkim/keys/yourdomain.com/mail.private
Socket                  inet:8891@localhost

Install Your Private Key

# Create directory
sudo mkdir -p /etc/opendkim/keys/yourdomain.com

# Copy your generated private key
sudo cp mail.private /etc/opendkim/keys/yourdomain.com/

# Set permissions
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod 600 /etc/opendkim/keys/yourdomain.com/mail.private

Connect Postfix to OpenDKIM

Add to /etc/postfix/main.cf:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Restart services:

sudo systemctl restart opendkim
sudo systemctl restart postfix

Mail-in-a-Box

Mail-in-a-Box configures DKIM automatically during setup, but you may need custom keys for:

  • Key rotation
  • Multiple domains with specific requirements
  • Migration scenarios

If you need to replace keys:

  1. Generate new keys with DKIM Creator
  2. Replace the private key in /home/user-data/mail/dkim/mail.private
  3. Update the DNS record (Mail-in-a-Box's admin panel shows the current record)
  4. Restart the mail services

iRedMail

iRedMail uses Amavisd-new for DKIM signing.

Install Your Key

# Place private key
sudo cp mail.private /var/lib/dkim/yourdomain.com.pem
sudo chown amavis:amavis /var/lib/dkim/yourdomain.com.pem
sudo chmod 600 /var/lib/dkim/yourdomain.com.pem

Configure Amavisd

Edit /etc/amavis/conf.d/50-user:

dkim_key('yourdomain.com', 'mail', '/var/lib/dkim/yourdomain.com.pem');

@dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'relaxed/relaxed' } }
);

Restart Amavisd:

sudo systemctl restart amavis

Add Your DNS Record

After configuring your mail server, add the public key to DNS:

FieldValue
Host/Name`selector._domainkey` (e.g., `mail._domainkey`)
TypeTXT
ValueThe DNS record from DKIM Creator
TTL3600

DNS propagation can take up to 48 hours. Test thoroughly before relying on DKIM for critical emails.

Testing Your Setup

After DNS propagation, verify your configuration:

# Check DNS record
dig TXT mail._domainkey.yourdomain.com

# Send test email
echo "Test" | mail -s "DKIM Test" check-auth@verifier.port25.com

The response will show whether DKIM is passing.

Troubleshooting

"Key not found" errors

  • Verify DNS record hostname matches your selector exactly
  • Check DNS propagation with multiple tools
  • Ensure the _domainkey suffix is present

"Signature verification failed"

  • Confirm private key matches the public key in DNS
  • Check file permissions on the private key
  • Verify the signing domain matches your From address

Postfix not signing emails

  • Check OpenDKIM is running: systemctl status opendkim
  • Verify milter socket connection
  • Check logs: journalctl -u opendkim

Key Rotation

For self-hosted servers, plan for regular key rotation:

  1. Generate new keys with a new selector (e.g., 2026q2)
  2. Add the new DNS record
  3. Update your mail server to use the new private key
  4. Keep the old DNS record for 1-2 weeks (for emails in transit)
  5. Remove the old DNS record

Related Articles

Running your own mail server? Generate secure DKIM keys that stay on your machine.

Generate DKIM keys for your server

Create keys locally in your browser. Your private key never leaves your machine.

Generate DKIM Keys