How to enable DKIM email signatures in amavisd-new and ISPConfig 3

Thursday, September 3, 2009 posted by admin

DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named "" with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.

1) Create the domain key:

mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem

2) Configure amavisd to use this key for the domain Edit the amavisd configuration file

vi /etc/amavisd/amavisd.conf

and add the following lines:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('', 'foo', '/var/db/dkim/example-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(;  # list your internal networks

3) Run the command:

amavisd showkeys

to get the public key that has to be added as TXT record in the DNS server of the DNS server.

4) Thest the setup with the command:

amavisd testkeys

and if it works properly, restart amavisd:

/etc/init.d/amavis restart

Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:

Be Sociable, Share!

16 Responses to “How to enable DKIM email signatures in amavisd-new and ISPConfig 3”

  1. ionut_d says:

    And where is the amavis-new in this tutorial ’cause i just can’t see it

  2. Till says:

    See Step 2: The configuration file of amavisd-new is /etc/amavisd/amavisd.conf

  3. ionut_d says:

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

  4. ionut_d says:

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

    There is no /etc/amavisd directory. I have /etc/amavis-new, but no .conf file

  5. Till says:

    This Tutorial was written on debian. It might be that the path or config files names differ on your Linux distribution. There must be a configuration file in your amavisd-new directory where you can add these settings.

  6. Krupa says:

    Hi all, I;m using IPSConfig3 in Ubuntu9.4. It works great. I setup the DKIM signature based on this tutorial. But, it ended up in the following error while issuing amavisd-new testkey.

    root@server1:/var/db/dkim# amavisd-new testkey
    TESTING#1: => invalid (public key: not available)

    Please help me!

  7. Till says:

    Have you added the public key in your dns server?

  8. Priyadarsan says:

    In Ubuntu I had to use the command “amavisd-new genrsa” instead of “amavisd genrsa”. Also I too have the same problem as Krupa and yes I have added the TXT file in my dream host DNS. Any pointers will be helpful.

  9. freebourg says:

    Of course, like every tutorial you match it to your own configuration, not juste copy & paste.

    In Debian, you’ll need to install “libcrypt-openssl-rsa-perl”, and use “mkdir -p /var/db/dkim” because there is no “/var/db”.
    And with amavisd-new, you just have to write “amavisd-new” instead of “amavisd” to generate the RSA key.

    When you’re done, you need to write the configuration lines in one of the files in the /etc/amavisd/conf.d/ directory, for example 50-user

    I’d suggest you to write the URL of this page in a comment in this file too “Just in case” (you need a new rsa key of example).

  10. freebourg says:

    And you would need “libmail-dkim-perl” as well to run the “showkeys” command.

    OK, you’re right. This is not a good tutorial on how to install DKIM in a normal (as described on howtoforge, which is a officially recommended tutorial) ISPConfig3 on Debian Lenny.

  11. freebourg says:

    I said too many errors:

    of course > should be replaced by >
    so that you see an arrow in your configuration file:
    { ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );

    When you’ve done what it’s asked here. Do that:

    After typing “amavisd-new showkeys”, open ISPConfig3 admin interface. Go to the “DNS” section, click on your domain name, open the “Records” tab, create a “+TXT” record and enter: (don’t forget the last dot) as hostname
    put 3600 in TTL
    and the whole section with braces.

    Then, wait 30 sec and try “amavisd-new testkeys”.

    It should say pass. If not, wait 30 s more. If it’s not working either there is a real error. See what the commands return.

  12. freebourg says:

    was in the case you put “mail” instead of foo.
    Otherwise it should be “foo._domainkey”…

    This name (which is called a “selector”) should be unique. So don’t use it twice.

  13. linux says:

    you have to put the key into DNS zone file too

  14. Peter says:

    Nice tutorial, thank you!

    But i have a problem on my ISP-Config3.
    “amavisd testkeys” works well, but when i sent a mail, dkim is not written there.
    I have check it with test tools, but no dkim was found.
    Did i need to make some other change, that the server put it in each mail of this domain?

    Best, Peter

Leave a Reply