Postfix as a Send-only SMTP Server on Ubuntu 14.04 and Configure DKIM and SPF

First of all, I want to start out by saying that I followed a very good write up (links below this paragraph) from DigitalOcean to accomplish this exact task.  I’m simply putting the key commands here for a quick reference for myself.  None of this I take credit for, and that goes to DigitalOcean for the phenomenal write up, so thank you to the folks over there!

How To Install and Configure Postfix as a Send-Only SMTP Server on Ubuntu 14.04

How To Install and Configure DKIM with Postfix

Let’s get started.  To get this installed, I’m using nano editor as I’m a Linux noob and I like nano.  You’ll need a sudo level account, well it will make this a lot easier anyways. This should also require a basic knowledge of the Ubuntu system and the nano editor.  As well as any basic mail protocols and DNS would help as well.

Step 1 – Configuring Postfix for SMTP on the localhost interface only

sudo apt-get install mailutils

Select Internet Site

For “mail name”, place your domain or subdomain you would like mail to be delivered as.  Example, or

Only accept SMTP requests from the local interface:

sudo nano /etc/postfix/

Change this:

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

To this:

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only

Restart Postfix

sudo service postfix restart

Test the mail server.  In the [email protected], place your email instead.  This will likely end up in your spam folder so be sure to check there:

echo "This is the body of the email" | mail -s "This is the subject line" [email protected]

Step 2 – Configure DKIM

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install opendkim opendkim-tools
sudo nano /etc/opendkim.conf

Add this block of code to the end of the file:

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:[email protected]
sudo nano /etc/default/opendkim

Add this line to that file:

SOCKET="inet:[email protected]"
sudo nano /etc/postfix/

Make sure that these two lines are in the file and not commented out:

milter_protocol = 2
milter_default_action = accept

In that same file, if these are not present (or if they are), modify / add the following lines to the end of the file:

smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys:

sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys
sudo nano /etc/opendkim/TrustedHosts

Goes without saying, change with your domain:


Create a key table (again, change to your domain):

sudo nano /etc/opendkim/KeyTable

Create a signing table (do I really need to say it again?):

sudo nano /etc/opendkim/SigningTable

[email protected]

Generate the public and private keys

cd /etc/opendkim/keys
sudo mkdir
sudo opendkim-genkey -s mail -d
sudo chown opendkim:opendkim mail.private
sudo nano -$ mail.txt

Add the public key to the domain’s DNS records.  I found it easier to use FileZilla to copy the mail.txt contents, but do what you wish here.  You don’t want to add the entire contents to DNS, just the following line (yours will be different, so copy that one, not the one below):


In you DNS provider, create a new TXT record:



Restart services:

sudo service postfix restart
sudo service opendkim restart

Add SPF records to your DNS

Adding a valid SPF record can also help avoid Spam filters.  This varies on your provider but typically doing something like this will help.  Granted, if your DNS for this server has A records for the IP in which the domain your are editing…

TXT @ "v=spf1 a ~all"


Husband, father, dog owner, technology enthusiast, player of PC games. Systems Administrator / Engineer over the last five years. Some of the articles here are thoughts and opinions based on my own beliefs and are not associated with my employer.

Leave a Reply

Your email address will not be published. Required fields are marked *