ISPConfig – DKIM-Patch 57

This setup ist for dkim-patch up to 0.4.1. For newer versions please see here.

I have already described how a DKIM key can insert into amavis with ISCPonfig automatically. While the former solution works, but is not controllable via the interface and thus also not apply to customers / clients available.

Therefore, I have developed a plugin that

  • is integrated in the interface
  • allows a key pair per domain
  • creates the keys on-the-fly, so that they are identical in a multi-server environment on all servers
  • provides a placeholder for the DNS template
  • set up the DNS entry for the DKIM Key by clicking

How it works
Detailed description
New / changed files

How it works

If a Key Pair for DKIM is created or inserted in the interface, the keys are written to the database and files and ​the corresponding entry is added to amavis. This means that all outgoing email for that domain can be signed with a DKIM key.
Then the Publiy key must be entered in the DNS.


This setup works up to 0.2.5. For newer versions see DKIM-Patch.

With version 0.3.0 (you should use it with ISPConfig only) you must not alter the database. All other steps in this guide are essential.

alter the mysql-database
Login to mysql as the root-user:

mysql -u root -p

or use in phpMyAdmin the database an run the follwing sql-code.

Select the database of ISPConfig (see $conf['db_database'] in /usr/local/ispconfig/interface/lib/ and expand:

use dbispconfig;
ALTER TABLE `mail_domain` ADD `dkim_public` MEDIUMTEXT NOT NULL AFTER `domain`; ALTER TABLE `mail_domain` ADD `dkim_private` MEDIUMTEXT NOT NULL AFTER `domain`; ALTER TABLE `mail_domain` ADD `dkim` ENUM( 'n', 'y' ) NOT NULL AFTER `domain`;

Install the patch

cd /tmp
tar xfvz dkim-latest_ispconfig3.tar.gz
cd dkim_ispconfig3

Adjust the rights

chown -R ispconfig.ispconfig *

copy the new files,

cp -Rp interface /usr/local/ispconfig
cp -Rp server /usr/local/ispconfig

and activate the server-plugin

ln -s /usr/local/ispconfig/server/plugins-available/ /usr/local/ispconfig/server/plugins-enabled/

customize amavis
If perl-Mail-DKIM is not already present, install as follows
Ubuntu / Debian:

sudo apt-get install libmail-dkim-perl


perl -MCPAN -e 'install Mail::DKIM'

If DKIM is not yet activated, a few parameters must be entered in amavisd. The corresponding config file is /etc/amavisd.conf (openSusSE) or /etc/amavis/conf.d/50-user (Debian).

Insert the following lines at the end:

$inet_socket_port = [10024,10026];
$forward_method = 'smtp:[]:10025';
$notify_method = 'smtp:[]:10027';
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
  originating => 1,
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  forward_method => 'smtp:[]:10027',
@mynetworks = qw(;
$signed_header_fields{'received'} = 0; # turn off signing of Received
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

customize postfix
Create a conten-Filter

content_filter = amavis:[]:10024

and add to smtpd_sender_restrictions: check_sender_access regexp:/etc/postfix/, permit_mynetworks, check_sender_access regexp:/etc/postfix/ erweitern. The entrie now looks like:

smtpd_sender_restrictions =
  check_sender_access regexp:/etc/postfix/
  check_sender_access mysql:/etc/postfix/, regexp:/etc/postfix/

Create /etc/postfix/ with the following content:

/^/ FILTER amavis:[]:10026

and /etc/postfix/ with:

/^/ FILTER amavis:[]:10024

10025 inet n - n - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=
  -o strict_rfc821_envelopes=yes
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

10027 inet n - n - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=
  -o strict_rfc821_envelopes=yes
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtp_send_xforward_command=yes

Restart postfix and amavis

/etc/init.d/amavis restart
/etc/init.d/postfix restart

create a directory for DKIM-keys

mkdir /etc/postfix/dkim

adjust ISPConfig
Set the path for dkim-keys in Server Config / Mail .

Keys can now be created using the interface for mail domains and registered in DNS.

detailed description

Setting in server config
After installing the plugin first need to define the path for the DKIM keys under Server Config. The plugin stores there private and public key.

Create the Keys for a mail domain
When creating or editing a mail domain settings are made in DomainKeys Identified Mail (DKIM). The private key can be created by “Generate DKIM private key” or inserted by cut & paste.The corresponding public key is displayed for information only and can not be changed.

Enter the public key in the DNS
The public key can be inserted either through the wizard or by using the button within the zone. When using the wizard the entry in the template must be {DKIM}|0|3600.
DNS-create Template

Within an existing zone the public-key can be inserted through the DKIM button.
DNS-zone edit

DNS-zone edit-dkim

The result is the same in both cases – the public key is registered with the default validator:
DNS-zone edit-dkim-result

After creating a DKIM key pair both keys are stored in the database. The server plugin writes the two key files in two files extends the Amavisd-config to the corresponding entry or fit to the existing.
Once the public key is registered in the DNS, the corresponding entry on the bind-plugin is written..

The keys can be tested with
amavisd testkeys
amavisd-new testkeys

TESTING#1: => pass

new / changed files

A  interface/lib/classes/
M  interface/web/admin/form/server_config.tform.php
M  interface/web/admin/lib/lang/en_server_config.lng
M  interface/web/admin/templates/server_config_mail_edit.htm
A  interface/web/dns/dns_dkim_edit.php
A  interface/web/dns/dns_dkim_get.php
M  interface/web/dns/dns_wizard.php
A  interface/web/dns/form/dns_dkim.tform.php
M  interface/web/dns/form/dns_template.tform.php
A  interface/web/dns/lib/lang/en_dns_dkim.lng
M  interface/web/dns/lib/lang/en_dns_template.lng
M  interface/web/dns/templates/dns_a_list.htm
A  interface/web/dns/templates/dns_dkim_edit.htm
M  interface/web/dns/templates/dns_wizard.htm
M  interface/web/js/dns_dkim.js
A  interface/web/js/mail_domain_dkim.js
A  interface/web/mail/mail_domain_dkim_create.php
M  interface/web/mail/form/mail_domain.tform.php
M  interface/web/mail/lib/lang/en_mail_domain.lng
M  interface/web/mail/templates/mail_domain_edit.htm
A  server/plugins-available/
  ALTER TABLE `mail_domain` ADD `dkim_public` MEDIUMTEXT NOT NULL AFTER `domain`;
  ALTER TABLE `mail_domain` ADD `dkim_private` MEDIUMTEXT NOT NULL AFTER `domain`;
  ALTER TABLE `mail_domain` ADD `dkim` ENUM( 'n', 'y' ) NOT NULL AFTER `domain`;

Leave a comment

Your email address will not be published. Required fields are marked *

57 thoughts on “ISPConfig – DKIM-Patch

  • Stefan


    Please i have tried to install this patch to my ispconfig 3 and i think that everything is OK but if i try to run this command: dig -t txt it return answer like this:

    <> DiG 9.9.5-9+deb8u1-Debian <> -t txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER< pass

    Please can you tell me, if this response is good? How can i check, if the email, which i send has correct DKIM signature?

    Thank you a lot.

    • Florian Schaal Post author

      If this is the fould result for your query, your public key was not found on the dns. is dkim your selector?
      You can get the result for dkim-key with dig -t txt

  • basilis

    Good morning!
    Your patch seems to be the most (if not the only) elegant and automated way to install dkim support in ispconfig.
    In ispconfig, I very much like the clean upgrade path, which kind of guarantees the problem free operation of my server.
    I d like to ask, whether you think / know if your patch somehow could “break” that smooth and problem free upgrading of ispconfig?
    In the event that a future version of ispconfig incorporates an automated solution for dkim, could a clean uninstall of your patch be made to ensure smooth upgrade of ispconfig?
    And in general, is there a clean and complete uninstall of your patch?
    Thank you very much and my best wishes for the new year. 🙂

    • Florian Schaal Post author

      With ISPConfig 3.1 the dkim-code is part of ispconfig. With the next release you can update/upgrade ispconfig at any time without losing the dkim-functionality. If you update to a 3.0.5-version, you have to install the dkim-patch again.
      There is no uninstall-script. Just remove the tag_es-rentries from postfix

      • basilis

        First of all, thank you for the fast reply.

        You say: “With the next release you can update/upgrade ispconfig at any time without losing the dkim-functionality.” Do you mean, that if I install /config your patch correctly and everything works fine, when I update to 3.1 all the DKIM changes and functionality (made by / thanks to your patch) will be incorporated and I will have to do no uninstalling of your patch, fiddling with the system etc?

        If another 3.0.5 point version appears before 3.1 and I have to install it, will I have to reinstall your patch and reconfigure it?


        • Florian Schaal Post author

          Yes. If we see another version before 3.1, just reinstall the patch. With 3.1 there is no need for this as this patch is a backport from 3.1.

  • Curtis Maurand

    I just installed the interface piece of the patch onto works like a charm. nice work. also since I am using powerdns (pdns) rather than bind, I had to increase the length of the content field in the powerdns records table to 64000 (pdns recommendation) to accomodate the fields. Funny how the contained the altered tables, but not the interface for this or maybe I didn’t see the plugin.

    Thanks for your hard work,
    Curtis Maurand

  • Faizal Afriansyah

    why the mail server like yahoo or google always detect my older dkim?
    i check my dkim now is good (pass) in amavis testkey. same with when i check in or why this happen? this is bug?

    • Florian Schaal Post author

      Maybe the did not get your latest key from your dns. are you using different selectors?

        • Florian Schaal Post author

          so you just changed the selector and not the key, too?

          btw… if i search for your dkim-record, i can find a key for phinemo.

          • Faizal Afriansyah

            i change too the key. yes of course you can find my dkim-record but the question is when i send message to mail server always detect my old selector (default)? or i can’t change the selector?
            this the error:when i check mail verification:
            Summary of Results
            SPF check: pass
            DomainKeys check: neutral
            DKIM check: permerror
            Sender-ID check: pass
            SpamAssassin check: ham

            DKIM check details:
            Result: permerror (key “” doesn’t exist)
            ID(s) verified:
            Canonicalized Headers:

            Canonicalized Body:

            DNS record(s):

            NOTE: DKIM checking has been performed based on the latest DKIM specs
            (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
            older versions. If you are using Port25’s PowerMTA, you need to use
            version 3.2r11 or later to get a compatible version of DKIM.

            Thanks for your response Florian 🙂

          • Florian Schaal Post author

            amavisd-new testkeys
   => pass?

          • Faizal Afriansyah

            this my amavis test florian :
            sudo amavisd-new testkeys
            TESTING#1: => pass

    • Kai

      Well i’m sorry that i missed to include the needed informations.

      I tried again yesterday and everything is working right now.
      The reason for non working and stop sending emails was a typo that i made 🙁 Shame on me.

      Thumbs up for your good work Florian.


  • mccharlet


    I have this error with DKIM-Patch 0.3.1 (i think it’s after the last openssl update my distribution is debian 7.5

    amavisd-new testkeys
    RSA.xs:178: OpenSSL error: no start line at (eval 94) line 65.

    And the amavis service don’t start. If i remove the 60-dkim file, it’s ok, but dkim isn’t configured

    Best regards

    • mccharlet


      I disabled the dkim and it’s ok.

      root@srv3:/etc/amavis/conf.d# amavisd-new testkeys
      No DKIM private keys declared in a config file.

      I have active dkim for two domain and i have an other error now

      root@srv3:/etc/amavis/conf.d# amavisd-new testkeys
      TESTING#1: => fail (bad RSA signature)
      TESTING#2: => invalid (public key: not available)

      Best regards

      • Florian Schaal Post author

        If a public is not found or not available, you didn´t add your public-key to the dns or its currently not available on the dns which amavis checks. If you run your own dns you can check the public-key with “dig @YOURDNS default._domainkey.YOURDOMAIN TXT”. If you change your dkim-key you must also update your dns. I will add this to the plugin, to make sure, the dns is updated, if you change your dkim-key.

        To get the values for the key, please run “amavisd-new showkeys”

        I`m not sure if your problem is really related to the latest openssl-update. I´m running wheezy 7.5, too and have no problems. You could you please provide your amavis-version and the openssl-version?

        Anyway, to make sure this is not related to your openssl-verion, please try

        cd /tmp
        openssl rand -out random-data.bin 4096
        openssl genrsa -rand random-data.bin 1024 > test.priv
        cat test.priv | openssl rsa -pubout >

        and try the two keys with amavis.

        • mccharlet


          I removed all the dkim configuration and recreate all dkim certificate. Now it’s OK

          Big thaks Florian for your help

          Best regards

          • Florian Schaal Post author

            just remove the tag_as_ – settings from postfix and remove the dkim-settings in amavis 50-user

    • Florian Schaal Post author

      This is already a part of ispconfig-devel (aka git-master) and will be available with 3.1

    • Florian Schaal Post author

      This happens when a private-key is associated with a wrong public-key. You have no public-key in your dns. You can check it with
      dig TXT

    • Florian Schaal Post author

      You can setup the validator when editing a mail-domain with dkim-enabled. But can not change it from
      default._domainkey to default._xxxxxxxxxx since _domainkey is a requiered value in the dns-record

      • zeromechanic

        Ok the xx where unclear. sorry
        I understand the _domainkey.
        Already in use.
        found this patch for use with ispconfig (.54p1)
        Lot easier than manual..

        I want to change the “default” into a custom

      • zeromechanic

        mm got an js error.

        when going to the mail domain :

        Uncaught TypeError: Cannot read property ‘nodeValue’ of null

        keys are not created.
        error :
        Uncaught TypeError: Cannot read property ‘nodeValue’ of null VM203:61

        rolling back install

  • Florian Schaal Post author

    It´s hard answer your question without knowing whats in your logs. Could you mail me a logfile when you sign your mails with dkim and send this mail to google or hotmail? Just use my mail-address instead of posting your log as a comment.
    BTW: the SPF-record for your domain uses onyl IPv4. Maybe you are connecting to google or hotmail using IP6?

  • Juan

    ok and managed to solve it.

    It was the language problem.

    have one more question if I can help because they no longer do.
    when emails to gmail or hotmail sending me qualifies as spam, the other servers get well but these do not.

    I have configured it and now dkim spf. but I still get get well.

    any advice?


  • Juan

    I followed the instructions in the tutorial and all good unless the link to generate private key does not appear dkim me.

    it can be due to this.

    work under debian wheezy system.


    • Florian Schaal Post author

      Is there a entry in the apache error-log? Please make sure, that all files within interface are owned by ispconfig.ispconfig. Run chmod -R ispconfig.ispconfig /usr/local/ispconfig/interface.
      If you are not using the english-language, this may also lead to the error, that you can´t see the link/buttun to create the key.
      You can get the lng-files with


      This issue is already fixed within the next version. I will made a public-release when the next ispconfig-version is available, because the next version will only work on (or the current stable-branch from the git-repositorie).

  • schiffsratte

    In the recent current dowload (patch 0-25)
    there is a typo in de_mail_domain.lng in $wb[“dkim_txt”] = ‘DKIM aktivieren’;

    The ‘; in the end are missing so the interface is not working if the language is german

  • djamu

    found 2 typo’s in

    cp $INTERFACE_DIR/dns/dns_wizard.php $INTERFACE_DIR/dns/dns_wizard.php.old
    should be :
    cp $INTERFACE_DIR/web/dns/dns_wizard.php $INTERFACE_DIR/web/dns/dns_wizard.php.old

    isn’t commented:
    cp $INTERFACE_DIR/web/mail/mail_domain_dkim_create.php $INTERFACE_DIR/web/mail/mail_domain_dkim_create.php.old
    (no such file)


    • Florian Schaal Post author

      The DNS-record is available after you successfull created the dkim-key for the mail-domain and is stored in the database. Please check the errorlog of your webserver.

  • Jeroen

    I followed all instructions and have checked it several times, but I can’t get it to work; no mail is signed.

    To get amavis to sign mails, I have to add @mynetworks = qw(; to /etc/amavis/conf.d/50-user. But when I do so, every user can send email from any DKIM-enabled domain and everything will be signed nicely (both from desktop client and roundcube). For example: is logged in and can send signed mail from it, but can also send signed mail from Note that user2 is not necessarily an existing user.

    Do you guys have this problem as well or am I the only one?

    • Florian Schaal Post author

      You can set

      @mynetworks = qw(;

      Sorry. I just forgot to add this to the blog-post and the INSTALL.TXT.

      If I send a local mail from a non-existing domain, the mail will not be signed. In this case the mail is classified as RelayedInbound by amavis since postfix doesn´t tagged the mail as ORIGINATING.

      You can find more informations about the mailflow here:

      • Jeroen

        Thank you for your answer.

        The IP-adresses in @mynetworks are the ones clients can send mail from, right? In that case, I want people to be able to send mail from any IP, since they can be all over the world. If I do as you suggest, only email from the local server will work, such as Rouncube.

        Of course, mail for non-existent domains can’t be signed, since there is no key for them. I’m talking about non-existent mailboxes and DKIM-enable domains.

        Is this supposed to happen?

        • Florian Schaal Post author

          Usually local mails are send through your MTA (postfix). In my setup i use postfix to handle the content-filter defined in “smtpd_sender_restrictions”.
          The installation-instructions regarding postfix and amavis can also be found in the amavisd-documentation.
          You can playaround with the ip in @mynetworks, but for signing outgoing-mails with postfix as documented in this post, can set it to

          What your MTA does with unknown mailboxes has nothing todo with amavis. You local MTA can handle unknown mailboxes as you define it. This must be defined within postfix.

          The mailflow is:

          INCOMING -> amavisd:10026->policy ORGINATING (sign)


          INCOMING -> amavisd:10024

          That´s the reason for /etc/postfix/ and /etc/postfix/

  • Loïc

    This for this tuto.
    I have a problem, when I try to test with this command : amavisd-new testkeys

    The answers : No DKIM private keys declared in a config file.

    My key is declared in ispconfig


    • Florian Schaal Post author

      Are the key-pairs created in the directory you defined in ispconfig (i.e. /etc/postfix/dkim)? Has the amavis-user at least read-access to this directory?
      Is DKIM enabled in amavis (you see something like “amavis[31429]: DKIM code loaded” in your amavis-log.

      • Loïc

        Thanks for your answer there some informations :

        ls -al /etc/postfix/dkim
        total 8
        drwxr-xr-x 2 root root 4096 14 sept. 19:42 .
        drwxr-xr-x 4 root root 4096 15 sept. 19:56 ..

        result :

        I try to find amavis in /var/log, There is nothing (idem wind find / amavis-log)

        Also in my admin ispconfig, I found that 2013-09-14 18:18 Debug Unable to write DKIM settings; Check your config! in show system log, monitor menu

        • Florian Schaal Post author

          Did you setup “/etc/postfix/dkim” in the interface as DKIM Path under system / server config / SERVER / mail?

          The error indicates, that there is no directory for dkim-keys defined in ISPConfig.

          BTW you can mail me at – so i can send you a server-plugin with much more logging so we can find out whats going wrong on your system.

          • Angel

            I have a two server configuration.
            Do i have to define the dkim-keys directory in the two servers?
            i’m receiving error “Unable to write DKIM settings; Check your config!”
            However dkim it’s working well.

            Thank’s for your time.

          • Florian Schaal Post author

            You must define (and create) the dkim-directory on each server that acts as a mail-server. The next release will create the dkim-dir if it doesn´t exists. The error in your logs is removed in next release, too. I made 0.3 public when ispconfig is released due to a lot of changed code.