The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.
Generate DKIM key
mkdir /etc/dkim_keys chgrp opendkim /etc/dkim_keys/ chmod 750 /etc/dkim_keys/ cd /etc/dkim_keys/ opendkim-genkey -b 1152 -s whateverselectorname
Choose selector as desired. 1152 bits is about as much as can meaningfully fit inside a single TXT field.
Remove spaces and k=rsa from the selectorname.txt file, so it looks like:
There is room for additional options, but it's largely unnecessary
# Log to syslog Syslog yes # If you run even a modest mailserver, the mailing logs get -immense-. # I like to split them up accordingly. SyslogFacility LOCAL1 # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) # With 007, we add postfix to opendkim's group so it can access the socket UMask 007
# Domain is a dataset, which if just a string is a comma-separated list. # opendkim is unfortunately not compiled with MySQL support by default in # Debian, else I'd use that. Domain example.com,example.net # There is little reason to have more than one key/selector per connected # mail network, it just creates a hassle in my opinion. # It is possible if you actually need to, however. KeyFile /etc/dkim_keys/whateveridentifier.private Selector whateveridentifier # Using years seems a common convention for selectors.
# Relaxed basically ignores whitespace. Seems lots of things like to play # with said whitespace especially in the header, so relaxed/relaxed or # relaxed/simple is best. Canonicalization relaxed # Sign only. Verification is spamassassin's job. Mode s SignatureAlgorithm rsa-sha256 # Don't turn on autorestart without specifying a rate or limit. AutoRestart yes AutoRestartRate 2/1m
# Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From
Don't forget to restart.
The remaining configuration is done in the MTA.