The DynDN.eS Blog

About DynDN.eS, eQmail, Gentoo & some other network stuff

User Tools

Site Tools

DKIM for eQmail and (net)qmail

After I announced eQmail 1.08 I was asked how to do DKIM signing. Thus it forces me to review my existing DKIM stuff and create a package: qmail-xdkim. It is based on - I would say so - conceptional work by Kyle Wheeler and Joerg Backschues (found here), but I extended it to reach more smoothly flexibility. Nevertheless I do not use the deprecated preceding domainkeys stuff.

qmail-xdkim is a small suite of three scripts to handle DKIM signing and verifying. It contains

and related man pages. All three tools are depending on libdkim. I recommend to use my libdkim fork xdkim, which has some improvements. However, this article doesn't explain how DKIM (libdkim/xdkim) works.

qmail-xdkim itself does not patch any files. It plugs into pipes of qmail programs. See the related paragraphs qmail-sdkim and qmail-vdkim how to do this. Btw, this shows one of the big advantages of (net)qmail, for sure it is not really a clean solution by renaming the original binaries (see below for alternatives too). Back, thus qmail-xdkim should work with any derivative of qmail.

/* In general rename  qmail-remote  and call the renamed binary by  qmail-sdkim  as well rename  qmail-queue  and call the renamed binary by  qmail-vdkim  . */

/* was tested and is working with eQmail 1.08.1, netqmail-1.06 and will work with the upcoming version eQmail 1.09. */

qmail-xdkim is available as openqmail-extra package (download): qmail-xdkim (pre-release)

qmail-xdkim will be discussed on the openqmail mailing list.


Unfortunately there is no install routine at the moment. So it is a bit manual work. Assuming your qmail installation is in  /var/qmail  , do:

$ cp mkdomainkey qmail-sdkim qmail-vdkim /var/qmail/bin
$ cp *.8 /var/qmail/man/man8
$ cd /var/qmail/bin
$ chmod 755 mkdomainkey qmail-sdkim qmail-vdkim
$ chown root:qmail mkdomainkey qmail-sdkim qmail-vdkim

Alternative use the user qmail{d,r} instead, but make sure to set proper access rights in several needed places. It is may be a good idea to add  /var/qmail/bin  to your $PATH variable as well the man page folders to $MANPATH.

As mentioned above I recommend xdkim, so it should be installed now too. In case libdkim will be choosen, edit the variable $XDKIM in  qmail-sdkim  and  qmail-vdkim  to XDKIM=libdkimtest.


This part creates the domainkeys for a given domain:

$ ./mkdomainkey
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
writing RSA key
TXT record for BIND: IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzeOXKJSQPkL5lnNtKFvvgCMYIeh+brPGVbZUMHuh7MvbBXxubQjupcpE2MlvONr6FsUZ+6/Lx72hjLkTeffi5G/oNRMzYjvw9lo8HdVHLV2uG1q8HOtjd/0yWlr8+MiaWElVIfPa58eJA5aEklltKNl4C2kqoYJTEpO+V13Lr/QIDAQAB"

The new domainkeys with selector default will be created in  /etc/domainkeys  . Another selector can be chosen by using the  -s  switch. The TXT record is formatted to be added to a bind nameserver (all in one line).

 Attention! Do not have backslashes in a TXT record!  This will be a cause that verification fails. Some versions of  dig  add these backslashes to the output, so there was a misunderstanding that they have to be in the original record.

The TXT record can be shown for a domain at any time with

$ mkdomainkey -p


 qmail-sdkim  inserts a DKIM signature to an outgoing mail.  qmail-sdkim  should create valid DKIM signatures by default. The default parameters used with  xdkim  are tested to work with Google ( Nevertheless, edit it to your needs if necessary.

 qmail-sdkim  have to be executed before  qmail-remote  . I highly recommend to use my qmail-bfrmt patch to do this, not only because this is more fault-tolerant. It is the way I do it and it (should ;-)) work(s) out-of-the-box together.  qmail-sdkim  calls  qmail-remote  by itself with the necessary parameters.

Read the included man page(s) for more details, as well the documentation of qmail-bfrmt too.  qmail-sdkim  uses  splogger  to log to the syslog.

An alternative is to do it along an old-school way (by renaming binaries):

$ cd /var/qmail/bin
$ mv qmail-remote qmail-remote.bin
$ ln -s qmail-sdkim qmail-remote

 Important:   By default the variable $DKREMOTE points to  qmail-remote.bin  and assumes that  qmail-sdkim  is in the same directory! Change this if necessary, either in the script  qmail-sdkim  itself or by setting as environment variable somewhere before to overwrite it (e.g. in the run script).


This tool is still considered experimental, a beta version. It is NOT ready for production out-of-the-box yet!

There are several points where to plug  qmail-vdkim  into the incoming pipe. The important thing is that it have to be invoked before  qmail-queue  . if you have the qmailqueue patch then the environment variable $QMAILQUEUE can be used, e.g. in the run file:

tcpserver ...

Beware that  qmail-vdkim  calls  qmail-queue  by itself (default).

There is still an old-school way too, somehow like:

$ cd /var/qmail/bin
$ mv qmail-queue qmail-queue.bin
$ ln -s qmail-vdkim qmail-queue

Edit/set the $DKQUEUE variable to the real  qmail-queue  binary.

DKIM signatures have to have  CRLF  line endings. Otherwise the verification will fail.  qmail-vdkim  uses the tool  unix2dos  to convert line endings. Install if if necessary. If a DKIM signature was found in the message,  qmail-vdkim  adds a header X-Authentication-Results.

Troubleshooting hints

  • verify all path's and check for the third party tools
  • stop using the softlimit program
  • This explains why verification fails: DKIM verification errors (quite good)