User Tools

Site Tools


DKIM keys via amavis

Generate new private/public key pair


amavisd-new genrsa /var/lib/amavis/example.key.pem 1024
openssl rsa -in example.key.pem -out /var/lib/amavis/example.key.pem.public -pubout -outform PEM

Create new configuration

vi /etc/amavis/conf.d/60-dkim


$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('', 'mail1550766080', '/var/lib/amavis/example.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(;

List public keys

amavisd-new showkeys
; key#2 1024 bits, i=mail1550766080,, /var/lib/amavis/example.key.pem	3600 TXT (
"v=DKIM1; p="

and copy it into DNS zone.

Via ISPconfig web UI

Under Email > choose domain > DomainKeys Identified Mail (DKIM) you can generate the keys.

Don't add the public key via ISP config web ui (DNS > Records) because the input form will truncate it if the key has 2048 bits. Instead add it directly on the server in /etc/bind zone file, e.g.

... 86400      TXT        "v=spf1 a mx ip4: -all" 3600      TXT        "google-site-verification=Vd9dD-9pxxxxxxxxxxxxxxxxxxxx-bdxxxxx" 3600      TXT        "MS=ms20857300" 3600      TXT        "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUwuIBMBsfo1uMwM8baCLy3VMwIv1lhIfUq6r2ZhSEySmFpJt0QEDl2JxId/0nHUD9kqaeQIOh+BvMYfQbJypltvJwBcXhDeC0JmCv39/PXQGKPunoJXB27iDkrz8RQNVH1eJaSjT033PTa1cb8orPNHRNs3tjCMzu6eonaFWKmQIDAQAB"

If the key is generated vi ISCconfig it is automatically added.

Check if the key is added

amavisd-new testkeys

TESTING#1 => pass
TESTING#2 => pass

Add new conf file

vi /etc/amavis/conf.d/70-policy_bank

with content

# policy bank to have mails DKIM signed
$policy_bank{'ORIGINATING'} = {
# indicates client is ours, allows signing
originating => 1,
# force MTA to convert mail to 7-bit before DKIM signing
# to avoid later conversions which could destroy signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
# forward to a smtpd service providing DKIM signing service
# (if using a signing milter instead of signing by amavisd):
forward_method => 'smtp:[]:10025',
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["spamalert\@$mydomain"],

# Use ORIGINATING policy to enable DKIM signing
$interface_policy{'10024'} = 'ORIGINATING';

Restart amavis

service amavis restart

Test (send mail to

Tested on

  • Debianu Jessie 8.7
  • ISP config 3.1.1p1

See also


wiki/dkim_keys_via_amavis.txt · Last modified: 2022/09/30 14:16 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki