Add a new sender domain to an existing POSTFIX mail server – a step by step guide

In this guide we will add, step by step, a new domain sender to an existing POSTFIX mail server: say your existing server is sending emails on behalf of domain [the manual to setup such a mail server is here], and you wanted to add a new sender server :

Edit the signing table /etc/opendkim/signing.table with your favorite editor:

sudo nano /etc/opendkim/signing.table

And add to it the following line:


Save the file and move on to editing the key.table file at /etc/opendkim/key.table :

sudo nano /etc/opendkim/key.table

and fill the contents with the following:

Save and exit that file and finally open the trusted.hosts file at /etc/opendkim/trusted.hosts :

sudo nano /etc/opendkim/trusted.hosts

and add the following line in the end of it:


Since we got a list of domains on that server, it should look like this:


We now need to generate a private key to sign outgoing emails and a public key for receiving SMTP servers to verify the DKIM signature. The public key will be published in the DNS settings for your domain(s). Perform the following for each domain you wish to send on behalf of:

Create a separate folder for the domain you want to generate keys for (replacing with your domain):

sudo mkdir /etc/opendkim/keys/

Then generate the keys for the new domain using:


sudo opendkim-genkey -b 2048 -d -D /etc/opendkim/keys/ -s sendonly -v 

sudo chown opendkim:opendkim /etc/opendkim/keys/

Note that sendonly is still the selector here. This will be the prefix of _domainkey in our DNS record. Now display the public key and make sure to add it to the DNS record:

sudo cat /etc/opendkim/keys/

This will print an unholy amount of unnecessary information as our domain provider namecheap manages the formatting for us. It gives an output like the following:

sendonly._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " 
eRCdP0ZZ1+W5KJ8usIuyLeVSiOUCH+COAo5sKVergj3UgN8279thgsiX+Wi86QOQIDAQAB" ) ; -- 
--- DKIM key sendonly for

In the above example, we see that we need to set a TXT record in our DNS settings for the domain with the host of sendonly._domainkey and the value then needs to be formatted like the following:

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwVVC8RGSynFIN18JekVJlstZifu1BZG85y8F4Ir/IJ5Uvmjk3kTG0fFpckCogWFUYKtWonnDpokdJ2RiH5xZGQ56/C6D6Ms3wkkuL4n472DkJLXEHwOkv44acF7eA9sBm+lM+T4OHsKmopfmpTf2Kv20WmgCGZO46w+14eRmGWz7yr94OwF6a8Pyxdz5mGheOItnywLHgM8OoTxkFqwruvVP0X/RKNh/ehDBZRk3fW0I5MD+iHT2+sReNH4jjQRiMp6weVvn3FDo3UdpwKAGZseRCdP0ZZ1+W5KJ8usIuyLeVSiOUCH+COAo5sKVergj3UgN8279thgsiX+Wi86QOQIDAQAB


To export the TXT record you can use:

sudo cat /etc/opendkim/keys/ >> new-server.txt

Notice how the value of the DNS record was the text between the brackets ( ) but with quotation marks removed and the line breaks removed as well. Once this has been set in the DNS record for the domain, you should be able to test that the key is properly set with the command:

sudo opendkim-testkey -d -s sendonly -vvv

Note that you may have to wait for the DNS records to be propagated beforehand (set your TTL for the TXT record to 1min if you want it done quickly). If you see key not secure message, don’t panic. This is because DNSSEC isn’t enabled on the domain name.

Setting up DMARC record

To set the DMARC record, enter the following as the value for a TXT record into your DNS settings for your domain:

v=DMARC1; p=quarantine

With the host as _dmarc .


Setting up SPF record

If you want to send email as another domain or subdomain, say or, you’ll need to let know that you are going to be sending mail as but from This is done using an SPF record for that specifies the IP address and hostname that the host of In the case of to be the sender for other domains:

Set TXT record with host @ and value:

v=spf1 ip4:111.222.333.444 ip4:555.666.777.888 ~all


Now restart opendkim, Postfix and Dovecot with:

sudo systemctl restart opendkim postfix
sudo systemctl restart dovecot

Finally test an email using the swaks tool (it should be installed if you followed the setup guide), send an email to yourself using:

swaks --to --from --server localhost

Once you received the Email, view the source of the email to see the security level of the mail.

Note: if you plan to accept emails for this domain (inbound emails) – you need to add this domain to virtual_alias_domains in /etc/postfix/

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *