Install Sendmail with DKIM on Raspbian Stretch

I have a little Raspberry Pi that I hope will be the home of the future . It runs Raspbian Linux, which is basically Debian. Here are the steps I followed to get Sendmail working with DomainKeys Identified Mail (DKIM). I admit that this is something that most people will not need, so feel free to skip this article.

First, install sendmail:

sudo apt-get install sendmail

Test to make sure it’s working:

subject: testing sendmail
here is the body

The lone dot at the beginning of the last line closes and sends the message.  Check Yahoo mail to see that the message was received.  Note that I don’t use gmail for this test, which might reject mail from an unknown source as spam.

Now install opendkim:

sudo apt-get install opendkim opendkim-tools
sudo mkdir /etc/opendkim
cd /etc/opendkim
sudo opendkim-genkey -s k1 -d

k1 is the name I chose for the selector. is my domain, but of course, you would substitute your own in its place. Two files will be generated:
k1.private – private key information which should never leave the server, and
k1.txt – information to add to the zone file on my DNS server. The contents of this file are

k1._domainkey IN TXT "v=DKIM1\ ; k=rsa\ ;p=MIG ... IDAQAB"\;

A whole bunch of characters have been omitted above for brevity. k1._domainkey is the hostname for the record, and all the stuff between the quotation marks is the content of the record. You must add this record to your DNS server.  With some hosts, you can enter this information yourself; with others, you must ask their technical support to enter it for you. To check that the record has been added correctly:

dig txt +short

which should show the record previously entered.

The installation of opendkim should have created an opendkim user. Verify:

grep opendkim /etc/passwd

which should return something like


Make sure that the opendkim user can access the key file:

sudo chown opendkim:opendkim /etc/opendkim/k1.private

Test the domain key:

opendkim-testkey -d -s k1 -v -k /etc/opendkim/k1.private

If that silently returns to the prompt, the key is okay. Now set up opendkim to listen on a socket. This is not the only way to do this, just one way:

sudo vi /etc/default/opendkim

There may be a line starting with SOCKET= in there as the default. Comment that out, and uncomment the line of the form SOCKET=inet:12274@localhost . The port number does not have to be 12274 – choose one to suit yourself.  Save and quit.

Set other configuration information for opendkim:

sudo vi /etc/opendkim.conf

and make sure that it contains

Keyfile /etc/opendkim/k1.private
Selector k1
InternalHosts /etc/opendkim/TrustedHosts

Now edit the Trusted Hosts file:

sudo vi /etc/opendkim/TrustedHosts

Add at least localhost, but it doesn’t hurt to have every other possible address you can think of for the machine:

localhost #internet #intranet

With the recent version (v2.11.0) of opendkim that I installed, I had to do the following to regenerate the service startup:

sudo /lib/opendkim/opendkim.service.generate
sudo systemctl daemon-reload
sudo service opendkim restart

Note that the above must be done again any time the file /etc/default/opendkim is changed. This may no longer be required in future versions of opendkim. I hear a bug report has already been filed.

Now configure sendmail to use opendkim to sign outgoing mail.

sudo vi /etc/mail/

and append this line to the end:

INPUT_MAIL_FILTER(`opendkim', `S=inet:12274@localhost')

Note that in the above, a grave accent opens the quote, and an apostrophe closes it. Also, the port (12274 in the above case) must match the port previously chosen for opendkim. After saving the file, run

sudo m4 /etc/mail/ > /etc/mail/

For some reason, the above did not work on the Raspberry Pi that I had set up with a non-default administrator account, saying I didn’t have permission to write the output file. So what I did was:

sudo su
m4 /etc/mail/ > /etc/mail/

Restart sendmail:

sudo service sendmail restart

Then send another message to your Yahoo or other mail, as before. To confirm that things went well, look at the system log for sendmail and opendkim activity:

tail /var/log/mail.log

Also, open the message under Yahoo mail, and view the “raw message” (it might be called “full headers” or something else, depending on your mail service). It should have a line something like this showing DKIM pass:

Authentication-Results:; domainkeys=neutral (no sig);; dkim=pass (ok)
(Visited 604 times, 1 visits today)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.