Notes
- I’m keeping the keys organised by year, this might change in the future
- If you omit the 1024 from the genrsa command it’ll generate 1024 keys. Its supplied here now to remind me to upgrade these to 2048 keys when the time is right (at present Easyspace don’t allow you to enter 2048 records – helpful)
Generate key for domain(s)
amavisd genrsa /usr/local/etc/amavisd/dkim/<year>._domainkey.domain.com.key.pem 1024
example
amavisd genrsa /usr/local/etc/amavisd/dkim/2015._domainkey.spectrumcs.net.key.pem 1024
nano amavisd.conf and add something similar to dkim_key(‘domain.com’, ‘2048’, ‘/usr/local/etc/amavisd/dkim/2015/domain.com.key.pem’); and save
example
Run
# amavisd showkeys
to find out how you need to set up the DNS. Command spits out something like
2015._domainkey.spectrumcs.net. 3600 TXT ( "v=DKIM1; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2xPNPTmYuTCkvMIgONUd8vTPe" "FM0uJHlVMwxrfdyhFLIWr5C73jpWulyrEmn/3Ujkt8aemSqo2EB90UmEhvt0VVZt" "IV2ROLXm/HjJF+eHq617xUKx/f9218sGp+1D3dTMsai7N7Sdxt41WN3SgTlyjSL7" "/MifKPUNPKJkGeJV3wIDAQAB")
You need to reformat it a bit for Easyspace….
host :
2015._domainkey.spectrumcs.net.
data :
v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2xPNPTmYuTCkvMIgONUd8vTPeFM0uJHlVMwxrfdyhFLIWr5C73jpWulyrEmn/3Ujkt8aemSqo2EB90UmEhvt0VVZtIV2ROLXm/HjJF+eHq617xUKx/f9218sGp+1D3dTMsai7N7Sdxt41WN3SgTlyjSL7/MifKPUNPKJkGeJV3wIDAQAB
Once DNS record published you can test by running…
# amavisd testkeys
Assuming amavisd’s test are a pass you can sync configuration accross all servers and restart amavisd-new on all servers.
Finally, perform an external test using either of the following services…
http://dkimvalidator.com/
check-auth@verifier.port25.com