OpenDKIM (2.6)

The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.

Generate DKIM key
mkdir /etc/dkim_keys chgrp opendkim /etc/dkim_keys/ chmod 750 /etc/dkim_keys/ cd /etc/dkim_keys/ opendkim-genkey -b 1152 -s whateverselectorname

Choose selector as desired. 1152 bits is about as much as can meaningfully fit inside a single TXT field.

Remove spaces and k=rsa from the selectorname.txt file, so it looks like:
 * v=DKIM1;p=giantstring==

There is room for additional options, but it's largely unnecessary

/etc/opendkim.conf
Syslog                 yes SyslogFacility         LOCAL1 UMask                  007
 * 1) Log to syslog
 * 1) If you run even a modest mailserver, the mailing logs get -immense-.
 * 2) I like to split them up accordingly.
 * 1) Required to use local socket with MTAs that access the socket as a non-
 * 2) privileged user (e.g. Postfix)
 * 3) With 007, we add postfix to opendkim's group so it can access the socket

Domain                 example.com,example.net KeyFile                /etc/dkim_keys/whateveridentifier.private Selector               whateveridentifier
 * 1) Domain is a dataset, which if just a string is a comma-separated list.
 * 2) opendkim is unfortunately not compiled with MySQL support by default in
 * 3) Debian, else I'd use that.
 * 1) There is little reason to have more than one key/selector per connected
 * 2) mail network, it just creates a hassle in my opinion.
 * 3) It is possible if you actually need to, however.
 * 1) Using years seems a common convention for selectors.

Canonicalization       relaxed Mode                   s SignatureAlgorithm      rsa-sha256 AutoRestart            yes AutoRestartRate        2/1m
 * 1) Relaxed basically ignores whitespace. Seems lots of things like to play
 * 2) with said whitespace especially in the header, so relaxed/relaxed or
 * 3) relaxed/simple is best.
 * 1) Sign only. Verification is spamassassin's job.
 * 1) Don't turn on autorestart without specifying a rate or limit.

OversignHeaders        From
 * 1) Always oversign From (sign using actual From and a null From to prevent
 * 2) malicious signatures header fields (From and/or others) between the signer
 * 3) and the verifier.  From is oversigned by default in the Debian package
 * 4) because it is often the identity key used by reputation systems and thus
 * 5) somewhat security sensitive.

Final Steps
Don't forget to restart.

/etc/init.d/opendkim restart

The remaining configuration is done in the MTA.