How to include Gmail’s Feedback-ID header in DKIM signature

Feedback-ID is an additional header required by Gmail Feedback Loop to see aggregated data in Google Postmaster tools. Gmail requires it to include in DKIM-Signature. The following guide explains how it can be configured in OpenDKIM :

Edit opendkim.conf

vim /etc/opendkim.conf

Add the following line :

SignHeaders Feedback-ID

Reload openkdim :

systemctl reload opendkim.service

Reload postfix :

systemctl reload postfix.service

Send a test email with swaks to gmail :

swaks --from [email protected] --to [email protected] --h-Feedback-ID 123:asd:123 --server

My test mail results :

dkim=pass [email protected] header.s=key1 header.b=oY1NVInb;
spf=pass ( domain of [email protected] designates as permitted sender) [email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE)
Date: Sun, 12 Nov 2017 11:04:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=key1; t=1510484682;       
bh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=; h=From:Feedback-ID:From;     
To: [email protected]
From: [email protected]
Subject: test Sun, 12 Nov 2017 11:04:42 +0000
Message-Id: <[email protected]>
X-Mailer: swaks v20170101.0
Feedback-ID: 123:asd:123

This is a test mailing

How to configure OpenDKIM with Postfix

In this HowTo, you will find out how we configured OpenDKIM and Postfix(3.1.0) to sign our emails with DKIM. I will not talk about what is DKIM and settings like hash algorithms, DKIM Identity, Selectors etc.

Install OpenDKIM and tools.

apt-get install opendkim opendkim-tools

Add the following settings to /etc/opendkim.conf after “UserID” directive.

Map AuthorDomains to RSA keys.
KeyTable /etc/dkimkeys/rsakeys.table
SigningTable refile:/etc/dkimkeys/signingdomains.table

# "simple" recommended by DKIMCore
Canonicalization simple

Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
OversignHeaders From

Generate RSA key for

cd /etc/dkimkeys/
opendkim-genkey --bits=1024 --selector=key1 --append-domain

It will create two files. “key1.private” which is for server side and “key1.txt” which contain the following DNS record that needs to be created in zone. You can lookup my existing record with dig TXT +short IN TXT ( "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVgaYb2qaO92yF1DuoSIWybPgiwQ3dfjN1XhzstnEqfi/GroqtN87BrjEr9BGTTiisocbMZOtfErgfCSq+sCjHohEySdngfnxPUqLYqco+Xe3RlESYngKFU9YUUKXE9OcT3dt3v921h1pZ9BJwQ2RyJ+xANYR5DivfRT2gPCdIWwIDAQAB" )  ; ----- DKIM key key1 for

mv key1.private

Add RSAkey reference to KeyTable file in /etc/dkimkeys/rsakeys.table


Add AuthorDomain and RSAKey reference in /etc/dkimkeys/signingdomains.table

* postfixdkim

“*” says domain with any local-part should be signed with this key. “postfixdkim” is reference to RSA key in KeyTable.

Connect OpenDKIM to Postfix. Since Postfix runs in jail environment so its better to keep OpenDKIM also inside Postfix spool directory.

mkdir /var/spool/postfix/opendkim

Update opendkim.sock path to new location in /etc/default/opendkim


Configure opendkim in /etc/postfix/

# Connect OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock

Setup proper permissions.

chown -R opendkim:opendkim /etc/opendkim.conf /etc/dkimkeys
chown opendkim:postfix /var/spool/postfix/opendkim

Restart opendkim and postfix

systemctl restart opendkim.service
systemctl restart postfix.service