This is the 3rd post in a series about setting up an outbound SMTP server with DKIM signing and smart host forwarding. Here you will learn how to configure an existing Haraka server to sign all outbound emails with a DKIM header.
After setting up the libraries, config files, system service, and smart host forwarding, adding the DKIM plugin should seem like a breeze. I’m including a couple extra steps where the documentation didn’t quite get me all the way to the finish line.
DomainKeys Identified Mail, in case you weren’t familiar with it, allows the sending server to use a cryptographic signature, storing the public decryption key in a DNS record. The receiver can then verify the signing server has a key for that domain.
Running the included script to generate DKIM keys only requires a few commands.
cd /etc/haraka/config/dkim
chmod 744 dkim_key_gen.sh
./dkim_key_gen.sh example.org
When that’s done, all you really need to do is open up the file named /etc/haraka/config/dkim/example.org/dns
The top of the file will have some helpful information formatted like this:
Add this TXT record to the example.org DNS zone.
jan2022._domainkey IN TXT v=DKIM1;p=.....
What you’re going to do next is open up your DNS records and create a new TXT
exactly named jan2022._domainkey
or in other words a FQDN of jan2022._domainkey.example.org.
The value of the new record needs to be the entire string beginning with v=DKIM1;p=
which should be well in excess of 1,000 characters.
Notice the DKIM configuration was created in a domain-specific subdirectory, meaning you can re-run the key generator for other domains as needed. Haraka will automatically lookup any available keys based on the sender’s domain name.
Next, create /etc/haraka/config/dkim_sign.ini
with the required settings:
headers_to_sign=Subject,From,To
Only the From header is required, and you can customize that list.
Lastly, we need to make one more edit to the /etc/haraka/config/plugins
file to un-comment the dkim_sign
plugin.
Restart Haraka. Test it out! If you’ve followed the instructions from all three of my posts, any message sent to your new SMTP server will be securely accepted over TLS, then DKIM signed, and quickly forwarded to the specified smart host for SMTP transmission. Sending to a destination equipped with DKIM validation will allow you to see the full results in the message headers.
Update August 2024
As of v3.0.4, the plugin dkim_sign
is no longer included with Haraka and must be installed separately. See haraka-plugin-dkim for details.