~2 min read • Updated Jan 27, 2026
1. Why Are OpenDKIM and OpenDMARC Critical?
In today’s email ecosystem, without DKIM and DMARC:
- Your emails are flagged as spam
- Gmail / Outlook do not trust your domain
- Your domain can be easily spoofed by attackers
These are not content‑security tools; they are identity‑authentication tools.
2. DKIM / DMARC in iRedMail Architecture
Outgoing Mail ↓ Postfix ↓ OpenDKIM ← Digital Signature ↓ Internet ↓ Receiver Mail Server ↓ OpenDMARC ← Policy Enforcement
DKIM = Signature | DMARC = Policy
3. What Is OpenDKIM?
OpenDKIM signs outgoing emails using your domain’s private key. The receiving server:
- Retrieves your public key from DNS
- Verifies the signature
- Ensures the message was not altered
- Confirms the sender’s identity
4. Components of OpenDKIM
- opendkim daemon
- Key Table
- Signing Table
- DNS TXT Record
Important Paths:
| Path | Description |
|---|---|
| /etc/opendkim/ | Main configuration |
| keys/ | DKIM keys |
| opendkim.conf | Primary config file |
| /var/log/maillog | Logs |
5. Generating DKIM Keys in iRedMail
amavisd-new genrsa /var/lib/dkim/example.com.pem 2048
Show the public key:
amavisd-new showkey example.com
6. DKIM DNS Record
dkim._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
Use a short TTL during testing.
7. Testing DKIM
opendkim-testkey -d example.com -s dkim
Or send an email to Gmail and check:
DKIM=PASS
8. What Is OpenDMARC?
OpenDMARC enforces DMARC policies. DMARC defines what should happen if SPF or DKIM fails:
- Accept
- Quarantine
- Reject
9. Example DMARC Record
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Policy meanings:
| p | Meaning |
|---|---|
| none | Monitoring only |
| quarantine | Send to spam |
| reject | Fully reject |
10. Recommended DMARC Deployment Steps
- p=none (monitoring)
- p=quarantine
- p=reject
Do not rush — moving too fast to reject can hurt inbox placement.
11. DMARC Reports
Daily XML reports from:
- Gmail
- Yahoo
- Microsoft
Tools to read reports:
- dmarcian
- Mail Analyzer
12. Logs
grep dkim /var/log/maillog grep dmarc /var/log/maillog
13. Common Issues
❌ DKIM fail
- Incorrect DNS record
- Selector mismatch
❌ Unwanted DMARC rejects
- SPF misconfigured
- DKIM not signing all mail
14. Professional Best Practices
- Use 2048‑bit DKIM keys
- One selector per domain
- Deploy DMARC gradually
- Monitor DMARC reports regularly
15. What Happens Without DKIM / DMARC?
| Condition | Result |
|---|---|
| No DKIM | Spam folder |
| No DMARC | Domain spoofing |
| Misconfigured | Legitimate emails rejected |
Conclusion
OpenDKIM signs your email identity, and OpenDMARC enforces trust policies. Without these two components, modern email delivery simply does not work reliably. With proper configuration, your domain becomes trusted, secure, and resilient against spoofing.
Written & researched by Dr. Shahin Siami