使用opendkim-tools创建域名dkim记录方法和添加到BIND 9.21.9解析方法

[admin]

操作系统 Fedora Linux 42 x86_64

（1）安装 opendkim-tools
# dnf install opendkim-tools -y

（2）生成dkim私钥和dkim记录
# opendkim-genkey --append-domain --bits=2048 --directory=/etc/opendkim/keys/example.com --domain=example.com --note=20251027 --restrict --selector=tot-dkim --subdomains

（3）配置邮件服务器上的opendkim
/etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
Domain bluepoint-ha.com
KeyFile /etc/opendkim/keys/example.com/tot-dkim.private
Selector tot-dkim
MinimumKeyBits 2048
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /usr/local/opendkim/var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /usr/local/opendkim/var/tmp

# chown -R opendkim:opendkim /etc/opendkim

/etc/opendkim/KeyTable
tot-dkim._domainkey.example.com example.com:tot-dkim:/etc/opendkim/keys/example.com/tot-dkim.private

/etc/opendkim/SigningTable
*@example.com tot-dkim._domainkey.example.com

/etc/opendkim/TrustedHosts
localhost
127.0.0.1
example.com
mail.example.com

（5）amavisd-new 配置文件amavisd.conf配置 有关dkim 配置
@dkim_signature_options_bysender_maps = ( {
"example.com" => { d => "example.com", a => 'rsa-sha256', ttl => 10*24*3600 },
});

dkim_key('example.com', "tot-dkim", "/etc/opendkim/keys/example.com/tot-dkim.private");

（6）添加到BIND 9.21.9 example.hosts dkim记录方法：
cat /etc/opendkim/keys/example.com/tot-dkim.txt
tot-dkim._domainkey.example.com. IN TXT ( "v=DKIM1; n=\"20251027\"; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA9ap9OlmqV17HZo/fgP3MRBFEHeKM7NcKXrLVGItabo6tIWz5xP+dhBQHQB19pTQwnXSxk37PL3GJ5cz2cMQlFD1CbYuEU06pwG+Rc01yeu/DzhPHj27Sub561yVK/hOtcXVAH6x34DRZ0xylNPNEmVEblTyBH3qVNNscwt8M/fqSlIPARcGJ1gNb+aZWX26HxNiPzOBUFBye"
"QoqIO+Dqe0nXyQsrsLhXc3FB95LfZ7kYOjxg1Zow/iA8RFsWrlQaWcbuCLE6/fLdJRkENijbXfVvSzGTlnVDCPBZYutZy3NKEC7cl9Um9ssXojACCxscizOwwnOFoMfTa/WXmJOQIDAQAB" ) ; ----- DKIM key tot-dkim for example.com

# vi example.com.hosts 添加

tot-dkim._domainkey.example.com. 38400 IN TXT ("v=DKIM1; n=\"20251027\"; k=rsa; s=email;"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA9ap9OlmqV17HZo/fgP3MRBFEHeKM7NcKXrLVGItabo6tIWz5xP+dhBQHQB19pTQwnXSxk37PL3GJ5cz2cMQlFD1CbYuEU06pwG+Rc01yeu/DzhPHj27Sub561yVK/hOtcXVAH6x34DRZ0xylNPNEmVEblTyBH3qVNNscwt8M/fqSlIPARcGJ1gNb+aZWX26HxNiPzOBUFBye"
"QoqIO+Dqe0nXyQsrsLhXc3FB95LfZ7kYOjxg1Zow/iA8RFsWrlQaWcbuCLE6/fLdJRkENijbXfVvSzGTlnVDCPBZYutZy3NKEC7cl9Um9ssXojACCxscizOwwnOFoMfTa/WXmJOQIDAQAB")

（7）测试dkim
# amavisd testkeys
如果正常通过，显示结果如下：
TESTING#1 example.com: tot-dkim._domainkey.example.com => pass

# nslookup -type=txt tot-dkim._domainkey.example.com 8.8.8.8
;; Truncated, retrying in TCP mode.
Server: 8.8.8.8
Address: 8.8.8.8#53

tot-dkim._domainkey.example.com text = "v=DKIM1; n=\"20251027\"; k=rsa; s=email;"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA9ap9OlmqV17HZo/fgP3MRBFEHeKM7NcKXrLVGItabo6tIWz5xP+dhBQHQB19pTQwnXSxk37PL3GJ5cz2cMQlFD1CbYuEU06pwG+Rc01yeu/DzhPHj27Sub561yVK/hOtcXVAH6x34DRZ0xylNPNEmVEblTyBH3qVNNscwt8M/fqSlIPARcGJ1gNb+aZWX26HxNiPzOBUFBye"
"QoqIO+Dqe0nXyQsrsLhXc3FB95LfZ7kYOjxg1Zow/iA8RFsWrlQaWcbuCLE6/fLdJRkENijbXfVvSzGTlnVDCPBZYutZy3NKEC7cl9Um9ssXojACCxscizOwwnOFoMfTa/WXmJOQIDAQAB"