## BASIC OPENDKIM CONFIGURATION FILE ## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more ## BEFORE running OpenDKIM you must: ## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM ## - generate keys for your domain (if signing) ## - edit your DNS records to publish your public keys (if signing) ## See /usr/share/doc/opendkim/INSTALL for detailed instructions. ## DEPRECATED CONFIGURATION OPTIONS ## ## The following configuration options are no longer valid. They should be ## removed from your existing configuration file to prevent potential issues. ## Failure to do so may result in opendkim being unable to start. ## ## Removed in 2.10.0: ## AddAllSignatureResults ## ADSPAction ## ADSPNoSuchDomain ## BogusPolicy ## DisableADSP ## LDAPSoftStart ## LocalADSP ## NoDiscardableMailTo ## On-PolicyError ## SendADSPReports ## UnprotectedPolicy ## CONFIGURATION OPTIONS ## Specifies the path to the process ID file. PidFile /run/opendkim/opendkim.pid ## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. ## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing ## messages. Mode v ## Log activity to the system log. Syslog yes ## Log additional entries indicating successful signing or verification of messages. SyslogSuccess yes ## If logging is enabled, include detailed logging about why or why not a message was ## signed or verified. This causes an increase in the amount of log data generated ## for each message, so set this to No (or comment it out) if it gets too noisy. LogWhy yes ## Attempt to become the specified user before starting operations. UserID opendkim:opendkim ## Create a socket through which your MTA can communicate. Socket inet:8891@localhost ## Required to use local socket with MTAs that access the socket as a non- ## privileged user (e.g. Postfix) Umask 002 ## This specifies a text file in which to store DKIM transaction statistics. ## OpenDKIM must be manually compiled with --enable-stats to enable this feature. # Statistics /var/spool/opendkim/stats.dat ## Specifies whether or not the filter should generate report mail back ## to senders when verification fails and an address for such a purpose ## is provided. See opendkim.conf(5) for details. SendReports yes ## Specifies the sending address to be used on From: headers of outgoing ## failure reports. By default, the e-mail address of the user executing ## the filter is used (executing_user@hostname). # ReportAddress "Example.com Postmaster" ## Add a DKIM-Filter header field to messages passing through this filter ## to identify messages it has processed. SoftwareHeader yes ## SIGNING OPTIONS ## Selects the canonicalization method(s) to be used when signing messages. Canonicalization relaxed/relaxed ## Domain(s) whose mail should be signed by this filter. Mail from other domains will ## be verified rather than being signed. Uncomment and use your domain name. ## This parameter is not required if a SigningTable is in use. # Domain example.com ## Defines the name of the selector to be used when signing messages. Selector default ## Specifies the minimum number of key bits for acceptable keys and signatures. MinimumKeyBits 1024 ## Gives the location of a private key to be used for signing ALL messages. This ## directive is ignored if KeyTable is enabled. KeyFile /etc/opendkim/keys/default.private ## Gives the location of a file mapping key names to signing keys. In simple terms, ## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile ## directive in the configuration file. Requires SigningTable be enabled. # KeyTable /etc/opendkim/KeyTable ## Defines a table used to select one or more signatures to apply to a message based ## on the address found in the From: header field. In simple terms, this tells ## OpenDKIM how to use your keys. Requires KeyTable be enabled. # SigningTable refile:/etc/opendkim/SigningTable ## Identifies a set of "external" hosts that may send mail through the server as one ## of the signing domains without credentials as such. # ExternalIgnoreList refile:/etc/opendkim/TrustedHosts ## Identifies a set "internal" hosts whose mail should be signed rather than verified. # InternalHosts refile:/etc/opendkim/TrustedHosts ## Contains a list of IP addresses, CIDR blocks, hostnames or domain names ## whose mail should be neither signed nor verified by this filter. See man ## page for file format. # PeerList X.X.X.X ## Always oversign From (sign using actual From and a null From to prevent ## malicious signatures header fields (From and/or others) between the signer ## and the verifier. From is oversigned by default in the Fedora package ## because it is often the identity key used by reputation systems and thus ## somewhat security sensitive. OversignHeaders From ## Instructs the DKIM library to maintain its own local cache of keys and ## policies retrieved from DNS, rather than relying on the nameserver for ## caching service. Useful if the nameserver being used by the filter is ## not local. # QueryCache yes