DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named "" with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.

1) Create the domain key:

mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem

2) Configure amavisd to use this key for the domain Edit the amavisd configuration file

vi /etc/amavisd/amavisd.conf

and add the following lines:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('', 'foo', '/var/db/dkim/example-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(;  # list your internal networks

3) Run the command:

amavisd showkeys

to get the public key that has to be added as TXT record in the DNS server of the DNS server.

4) Thest the setup with the command:

amavisd testkeys

and if it works properly, restart amavisd:

/etc/init.d/amavis restart

Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:

Tagged on:

17 thoughts on “How to enable DKIM email signatures in amavisd-new and ISPConfig 3

  • October 27, 2009 at 2:43 pm

    And where is the amavis-new in this tutorial ’cause i just can’t see it

    • December 20, 2015 at 3:47 pm

      if I understand correctly, at the first step, we need to replace
      amavisd by amavis-new

      and at the second step, do we need to be careful and remove output detail like $, ^??

  • October 27, 2009 at 2:52 pm

    See Step 2: The configuration file of amavisd-new is /etc/amavisd/amavisd.conf

  • October 27, 2009 at 3:17 pm

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

  • October 27, 2009 at 3:18 pm

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

    There is no /etc/amavisd directory. I have /etc/amavis-new, but no .conf file

  • October 27, 2009 at 3:31 pm

    This Tutorial was written on debian. It might be that the path or config files names differ on your Linux distribution. There must be a configuration file in your amavisd-new directory where you can add these settings.

  • November 3, 2009 at 6:13 pm

    Hi all, I;m using IPSConfig3 in Ubuntu9.4. It works great. I setup the DKIM signature based on this tutorial. But, it ended up in the following error while issuing amavisd-new testkey.

    root@server1:/var/db/dkim# amavisd-new testkey
    TESTING#1: => invalid (public key: not available)

    Please help me!

  • November 4, 2009 at 11:04 am

    Have you added the public key in your dns server?

    • November 8, 2009 at 9:32 am

      No. I didnt add public key, Please tell how to do so….

  • December 9, 2009 at 4:41 pm

    In Ubuntu I had to use the command “amavisd-new genrsa” instead of “amavisd genrsa”. Also I too have the same problem as Krupa and yes I have added the TXT file in my dream host DNS. Any pointers will be helpful.

  • September 24, 2010 at 8:11 pm

    Of course, like every tutorial you match it to your own configuration, not juste copy & paste.

    In Debian, you’ll need to install “libcrypt-openssl-rsa-perl”, and use “mkdir -p /var/db/dkim” because there is no “/var/db”.
    And with amavisd-new, you just have to write “amavisd-new” instead of “amavisd” to generate the RSA key.

    When you’re done, you need to write the configuration lines in one of the files in the /etc/amavisd/conf.d/ directory, for example 50-user

    I’d suggest you to write the URL of this page in a comment in this file too “Just in case” (you need a new rsa key of example).

  • September 24, 2010 at 8:17 pm

    And you would need “libmail-dkim-perl” as well to run the “showkeys” command.

    OK, you’re right. This is not a good tutorial on how to install DKIM in a normal (as described on howtoforge, which is a officially recommended tutorial) ISPConfig3 on Debian Lenny.

  • September 24, 2010 at 8:28 pm

    I said too many errors:

    of course > should be replaced by >
    so that you see an arrow in your configuration file:
    { ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );

    When you’ve done what it’s asked here. Do that:

    After typing “amavisd-new showkeys”, open ISPConfig3 admin interface. Go to the “DNS” section, click on your domain name, open the “Records” tab, create a “+TXT” record and enter: (don’t forget the last dot) as hostname
    put 3600 in TTL
    and the whole section with braces.

    Then, wait 30 sec and try “amavisd-new testkeys”.

    It should say pass. If not, wait 30 s more. If it’s not working either there is a real error. See what the commands return.

  • September 24, 2010 at 8:45 pm

    was in the case you put “mail” instead of foo.
    Otherwise it should be “foo._domainkey”…

    This name (which is called a “selector”) should be unique. So don’t use it twice.

  • September 2, 2011 at 4:30 pm

    you have to put the key into DNS zone file too

  • November 20, 2013 at 6:54 pm

    Nice tutorial, thank you!

    But i have a problem on my ISP-Config3.
    “amavisd testkeys” works well, but when i sent a mail, dkim is not written there.
    I have check it with test tools, but no dkim was found.
    Did i need to make some other change, that the server put it in each mail of this domain?

    Best, Peter


Leave a Reply

Your email address will not be published. Required fields are marked *