Suppose iRedMail was installed, the DKIM key was generated during the installation process, now let’s see which public keys are present:
sudo amavisd-new showkeys
sudo amavisd-new -c /etc/amavis/conf.d/50-user showkeys
Suppose the following is displayed:
; key#1 1024 bits, i=dkim, d=ixnfo.com, /var/lib/dkim/ixnfo.com.pem
dkim._domainkey.ixnfo.com. 3600 TXT (
"v=DKIM1; p="
"AAA"
"BBB"
"CCC"
"DDD")
Accordingly, now we add a TXT record on the DNS server:
dkim._domainkey TXT v=DKIM1;p=AAABBBCCCDDD;
And also for the mail subdomain:
dkim._domainkey.mail TXT v=DKIM1;p=AAABBBCCCDDD;
Let’s wait for a while and test:
sudo amavisd-new testkeys
dig -t txt dkim._domainkey.ixnfo.com
dig -t txt dkim._domainkey.mail.ixnfo.com
You can check from the Windows command line:
nslookup -type=txt dkim._domainkey.ixnfo.com
nslookup -type=txt dkim._domainkey.mail.ixnfo.com
If the DNS record has not yet been updated, or if something was indicated incorrectly, there will be an error:
TESTING#1 ixnfo.com: dkim._domainkey.ixnfo.com => invalid (public key: not available)
If everything is correct, then:
TESTING#1 ixnfo.com: dkim._domainkey.ixnfo.com => pass
If you need to generate DKIM for a new domain, then execute (you can specify 2048 instead of 1024, but not all DNS can support such a key length):
amavisd-new genrsa /var/lib/dkim/new_domain.com.pem 1024
chown amavis:amavis /var/lib/dkim/new_domain.com.pem
chmod 0400 /var/lib/dkim/new_domain.com.pem
Find in the configuration file /etc/amavis/conf.d/50-user records about the old domain and add new ones after them. By default, one DKIM key is specified for all domains.
After the changes, restart amavis:
service amavis restart
service amavis status
To track down problems, you can add a primary domain to postmaster.google.com, statistics will also be displayed for subdomains, you can read help here https://support.google.com/mail/answer/6258950
See also my articles:
How to configure SPF records
How to add DKIM record
How to add DMARC record