If you are using DNSSEC you can now use it to verify DKIM keys with opendkim.
This does require a bit of configuration.
Opendkim uses unbound for DNSSEC support.
You have to:
- Install the unbound package (not just the library, which is already pulled in as an opendkim dependency)
- Configure the DNSSEC trust anchor for unbound ( either in /etc/unbound/unbound.conf or by adding a configuration snippet to /etc/unbound/unbound.conf.d – the latter makes it much less likely you’ll have to resolve conflicts in the configuration file if the default file is changed on later package upgrades)
- Update /etc/opendkim.conf and add:
ResolverConfiguration /etc/unbound/unbound.conf
Once that’s done, restart opendkim and your DKIM key queries are DNSSEC protected (you can verify this in your mail logs since opendkim annotates unprotected keys when it logs).
Note: This should also apply to Ubuntu 14.04, 14.10, and 15.04.
