May 28, 2013

652 words 4 mins read

AWS SES + Postfix + DKIM

For the last year or so I’ve been using SendGrid to relay all emails coming from my server. I don’t send a lot of emails through the system; it’s mostly notifications from the blog and a few related automated messages. While I like paid version of SendGrid (which I’ve used at work), the free version is lacking a few features and includes an unsubscribe link on emails which is really annoying. I decided to mix things up a bit and give Amazon Simple Email Service (AWS SES) a shot. Along with SES I wanted to configure all my mail to be signed with DKIM, on my server. I hope the internet continues to allow the anonymity it currently does, but that comes with a price (because people are abusive bastards), and that price is trust. DKIM is like trust, for email!

Please keep in mind that these instructions are for setting up DKIM signing on your own server. You also have the option of setting up DKIM on AWS SES itself. It will sign the messages no problem. The following were written on an Ubuntu 12.04 server, I expect that they’ll work for just about everyone with some minor location tweaks. While these instructions seem a little lengthy, and do take some time to complete due to DNS propagation, I assure you the process isn’t that complicated. So off to the first and most critical part, setting up AWS Simple Email Service

  • Sign up for AWS SES

  • Authorize a domain

  • Send a test message

  • Get a SMTP username & password from IAM

Once you’ve got AWS SES setup, you can move on to setting up the server portion. The instructions are for installing & setting up DKIM, configuring Postfix to use DKIM and lastly to relay all email sent through AWS SES.

  • apt-get install opendkim

  • mkdir /etc/mail/<strong>domain.tld</strong>

  • opendkim-genkey -D /etc/mail/<strong>domain.tld</strong>/ -d <strong>domain.tld</strong> -s myserver

  • nano /etc/opendkim.conf

  • Domain — domain.tld

  • KeyFile — /etc/mail/domain.tld/default.private

  • Select — myserver

  • OmitHeaders — Message-ID,Date,Return-Path,Bounces-To

  • Socket — inet:[email protected]

  • nano /etc/postfix/ `smtpd_milters = inet:
    non_smtpd_milters = $smtpd_milters
    milter_default_action = accept

  • smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = static:IAM_SMTP_USERNAME:IAM_SMTP_PASSWORD
    smtp_sasl_security_options = no anonymous
    smtp_tls_security_level = may
    header_size_limit = 4096000
    relayhost = []:587` * /etc/init.d/opendkim restart * /etc/init.d/postfix restart At this point you are effectively done with the server configuration. You'll need to take the DKIM record from /etc/mail/domain.tld/myserver.txt and put it into your DNS as a TXT record for `myserver._domainkey.domain.tld`. Two notes: #1 — the 'myserver' portion comes from 'Select' in opendkim.conf — you can change this name to anything you want — but change it in **BOTH** locations. #2 — Please make sure your DKIM record looks like: "`v=DKIM1; k=rsa; p=8ERhf3Zp....AQAB`" (My opendkim generated a record that dropped the 'k=' portion)

    Now you get to wait a while DNS propagates. Once you’ve waited for the correct amount of time (20 minutes-24 hours) you can test this out. Back to the server!

    • sendmail -t To: [email protected]<br /> From: [email protected]<br /> Subject: Testing me some DKIM<br /> Om nom nom<br /> I smell DKIM hash<br /> and it tastes like chicken<br /> .
    • Wait for the email to arrive @youremail
    • Check the email headers, look for “dkim=pass”
    email envelope
    If you saw the proper headers, hooray! You’re done! Not only are your emails relayed through the super reliable fairly reliable Amazon Web Services Simple Email Service, you are also successfully signing your messages with DKIM. If you use SPF records, you’ll also want to add “” to your SPF line. I know it seems like a lot of work just to get some email setup, but you didn’t come here looking for the “easiest” method, did you? Now there is one catch to this setup (isn’t there always?), it only works for the one domain name you’ve configured. Any other email domains sent from your server will not be DKIM signed. However, if you add the domains to AWS SES, the emails will be sent regardless.