Can I DKIM sign my email without running a server daemon just for that?

Question

I have an email server that is working perfectly.

However, more and more other email servers are getting strict about DKIM signing and DMARC records so I guess I need to finally set that up ...

I am running a bind9 DNS server (works perfectly) and a sendmail mailserver (works perfectly).

As long as I can create the keys, is there a way to implement DKIM signing (and DMARC, etc.) without running another server daemon ? I don't understand why I need to run the opendkim server daemon ...

All I am doing is adding a text blob to my emails - why is sendmail not sufficient to do that ?

Thank you.

Answer 1

A DKIM signature isn't just "a text blob", but it has to be cryptographically calculated using a private key and the headers/body that are signed with it. Also, OpenDKIM isn't just for adding those signatures, but for validating them, too. To be more exact, OpenDKIM implements RFC 6376, RFC 5617, RFC 5518, RFC 6541 & an asynchronous DNS resolver that better fits its purposes.

If you take a look at opendkim.org page you'll notice that historically OpenDKIM is exactly how Sendmail has decided to implement the DKIM features.

OpenDKIM is a community effort to develop and maintain a C library for producing DKIM-aware applications and an open source milter for providing DKIM service.

The project started from a code fork of version 2.8.3 of the open source dkim-milter package developed and maintained by Sendmail, Inc.

This is actually a better choice than bundling it as a feature in Sendmail, as

• not everyone running Sendmail needs DKIM and the added complexity: some Sendmail installations aren't even globally functioning MTAs.
• as a library and a milter other software can use the same features without reinventing the wheel. E.g. Postfix supports the milter protocol.