When setting up DKIM with OpenDKIM and Postfix, everything might appear functional - emails get signed, DNS records validate, yet the opendkim-testkey tool stubbornly reports "key not secure". Here's what's really happening under the hood.
# Debug output from problematic setup
opendkim-testkey -d example.com -s selector -vvv
opendkim-testkey: key not secure
opendkim-testkey: key OK
Many forum posts incorrectly attribute this warning solely to missing DNSSEC. While DNSSEC does affect key security validation, the warning frequently persists even with properly configured DNSSEC (as verified by tools like DNSViz).
The filesystem permissions you've set (600 for keys, 700 for directory) are correct at first glance:
drwx------ 2 opendkim opendkim 4096 Jan 1 07:18 /etc/opendkim/keys/
-rw------- 1 opendkim opendkim 1675 Dec 30 08:45 dkim-rsa-private.key
However, OpenDKIM performs additional security checks:
- World-writable parent directories
- SELinux contexts on RHEL systems
- Key strength validation (RSA-2048 minimum recommended)
Add these checks to your diagnostic routine:
# Check directory inheritance
namei -l /etc/opendkim/keys/dkim-rsa-private.key
# Verify SELinux context (RHEL/CentOS)
ls -Z /etc/opendkim/keys/
# Test key strength
openssl rsa -in /etc/opendkim/keys/dkim-rsa-private.key -text -noout | grep "Private-Key"
In your /etc/opendkim.conf, explicitly set security parameters:
UMask 007
KeyFile /etc/opendkim/keys/%{s}.key
Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /var/run/opendkim/opendkim.pid
UserID opendkim:opendkim
Even with DNSSEC enabled at your registrar, ensure recursive resolvers validate it:
dig +dnssec example.com TXT | grep ad
# Look for "ad" flag in response
For Cloudflare users, their DNS proxy breaks DNSSEC validation. Consider this temporary workaround in opendkim.conf:
DisableNotifications yes
IgnoreSignatureTimestamps yes
When setting up DKIM with OpenDKIM and Postfix, many administrators encounter the perplexing warning:
opendkim-testkey: key not secure
opendkim-testkey: key OKDespite having DNSSEC properly enabled (as verified by DNSViz) and correct file permissions:
drwx------ 2 opendkim opendkim 4096 Jan 1 07:18 /etc/opendkim/keys/
-rw------- 1 opendkim opendkim 1675 Dec 30 08:45 dkim-rsa-private.keyThis warning typically appears due to one of these scenarios:
- The DNS resolver used by OpenDKIM isn't DNSSEC-aware
- Local DNS cache poisoning (even with DNSSEC enabled)
- Missing or misconfigured Trust Anchor in the resolver
First, confirm DNSSEC validation is working properly with these diagnostic commands:
# Check DNSSEC validation with dig
dig +dnssec domain.eu SOA | grep ad
# Alternative method using delv (DNS lookup validator)
delv +vtrace domain.euYou should see "ad" flag (authenticated data) in the response headers or successful validation messages from delv.
Edit your /etc/opendkim.conf to specify a DNSSEC-capable resolver:
# Use Google's public DNS with DNSSEC support
ResolverConfiguration 8.8.8.8,8.8.4.4
# Or use your local unbound resolver if configured for DNSSEC
# ResolverConfiguration 127.0.0.1Force test with DNSSEC validation using:
opendkim-testkey -d domain.eu -s dkim-domain -D -lWhere -D enables DNSSEC checking and -l logs the validation process.
If using a local resolver, ensure trust anchors are properly configured. For unbound:
# /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-override-date: -1Create a test script to isolate the issue:
#!/bin/bash
DOMAIN="domain.eu"
SELECTOR="dkim-domain"
echo "Testing DNS resolution..."
dig +short $SELECTOR._domainkey.$DOMAIN TXT
echo "Testing DNSSEC validation..."
delv $SELECTOR._domainkey.$DOMAIN TXT
echo "Testing OpenDKIM validation..."
opendkim-testkey -d $DOMAIN -s $SELECTOR -vvvAfter making changes, verify with:
systemctl restart opendkim
opendkim-testkey -d domain.eu -s dkim-domain -vvvThe warning might still appear if your resolver doesn't fully support DNSSEC, but emails will still be properly signed and verified.