How to enable DKIM email signatures in amavisd-new and ISPConfig 3.0

NOTE: This post is about ISPConfig 3.0 and not 3.1 and newer. ISPConfig 3.1 and newer has DKIM support builtin, you can simply enable DKIM in ISPConfig 3.1 GUI now for the mail domain.

DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named "" with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.

1) Create the domain key:

mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem

2) Configure amavisd to use this key for the domain Edit the amavisd configuration file

vi /etc/amavisd/amavisd.conf

and add the following lines:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('', 'foo', '/var/db/dkim/example-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(;  # list your internal networks

3) Run the command:

amavisd showkeys

to get the public key that has to be added as TXT record in the DNS server of the DNS server.

4) Thest the setup with the command:

amavisd testkeys

and if it works properly, restart amavisd:

/etc/init.d/amavis restart

Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:

21 thoughts on “How to enable DKIM email signatures in amavisd-new and ISPConfig 3.0”

    • if I understand correctly, at the first step, we need to replace
      amavisd by amavis-new

      and at the second step, do we need to be careful and remove output detail like $, ^??

  1. This Tutorial was written on debian. It might be that the path or config files names differ on your Linux distribution. There must be a configuration file in your amavisd-new directory where you can add these settings.

  2. Hi all, I;m using IPSConfig3 in Ubuntu9.4. It works great. I setup the DKIM signature based on this tutorial. But, it ended up in the following error while issuing amavisd-new testkey.

    [email protected]:/var/db/dkim# amavisd-new testkey
    TESTING#1: => invalid (public key: not available)

    Please help me!

  3. In Ubuntu I had to use the command “amavisd-new genrsa” instead of “amavisd genrsa”. Also I too have the same problem as Krupa and yes I have added the TXT file in my dream host DNS. Any pointers will be helpful.

  4. Of course, like every tutorial you match it to your own configuration, not juste copy & paste.

    In Debian, you’ll need to install “libcrypt-openssl-rsa-perl”, and use “mkdir -p /var/db/dkim” because there is no “/var/db”.
    And with amavisd-new, you just have to write “amavisd-new” instead of “amavisd” to generate the RSA key.

    When you’re done, you need to write the configuration lines in one of the files in the /etc/amavisd/conf.d/ directory, for example 50-user

    I’d suggest you to write the URL of this page in a comment in this file too “Just in case” (you need a new rsa key of example).

  5. And you would need “libmail-dkim-perl” as well to run the “showkeys” command.

    OK, you’re right. This is not a good tutorial on how to install DKIM in a normal (as described on howtoforge, which is a officially recommended tutorial) ISPConfig3 on Debian Lenny.

  6. I said too many errors:

    of course > should be replaced by >
    so that you see an arrow in your configuration file:
    { ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );

    When you’ve done what it’s asked here. Do that:

    After typing “amavisd-new showkeys”, open ISPConfig3 admin interface. Go to the “DNS” section, click on your domain name, open the “Records” tab, create a “+TXT” record and enter: (don’t forget the last dot) as hostname
    put 3600 in TTL
    and the whole section with braces.

    Then, wait 30 sec and try “amavisd-new testkeys”.

    It should say pass. If not, wait 30 s more. If it’s not working either there is a real error. See what the commands return.

  7. mail._domainkey….
    was in the case you put “mail” instead of foo.
    Otherwise it should be “foo._domainkey”…

    This name (which is called a “selector”) should be unique. So don’t use it twice.

  8. Nice tutorial, thank you!

    But i have a problem on my ISP-Config3.
    “amavisd testkeys” works well, but when i sent a mail, dkim is not written there.
    I have check it with test tools, but no dkim was found.
    Did i need to make some other change, that the server put it in each mail of this domain?

    Best, Peter

    • This post is about ispconfig 3.0, it does not apply to recent ISPConfig 3.1 versions. ISPConfig 3.1 has builtin DKIM support, so the above steps are not needed in ISPConfig 3.1 and will damage the setup if applied on ISPConfig 3.1


Leave a Comment