Setup exim4 and DKIM
I have setup exim4 to sign outgoing email using DKIM, with the goal of improving deliverability. I have setup exim4 to handle multiple outgoing domains with different keys.
The key to use is chosen based on the domain name of the From header, not the envelope mail from. This is because I believe DKIM verification uses the From header (https://dmarc.org/wiki/FAQ).
I based my approach on instructions from https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4, but they appeared to be either slightly incorrect or out of date.
Configure exim4
First you need to make up a DKIM selector. This is the part of the domain name that goes on the front of the ._domainkey.example.com DNS entry you’ll later make. I configure one DKIM selector for all of the domains, so I choose one that identifies the box or the entity that owns the box. If you set up DKIM for the same domain on another box with different keys, the selector is what identifies which keys to use.
Say you choose the selector “mydkim”.
If you have split configuration, edit /etc/exim4/conf.d/main/00_exim4-local_options and append the following to the end of that file. If you are not split, edit /etc/exim4/exim4.conf.template and insert the following after the MAIN CONFIGURATION title comment near the top of the file.
DKIM_CANON=relaxed
DKIM_SELECTOR=mydkim
DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www.}{}}
DKIM_FILE = /etc/exim4/dkim/$dkim_domain.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
Run update-exim4.conf to update your configuration. Restart exim4 and check that you can still send email. I suggest sending email to another email account, not on your server. Check that /var/log/exim4/paniclog remains empty after successfully sending email.
Congratulations you’ve successfully setup exim4.
Exim4 will look in /etc/exim4/dkim/DOMAIN.pem for a private key to use to send email with a From address domain of DOMAIN.
Generate DKIM keys
Now you need to generate keys for exim4 to use. In the example below, replace “example.com” with your domain name.
cd /etc/exim4/dkim
openssl genrsa -out example.com.pem 1024 -outform PEM
openssl rsa -in example.com.pem -out example.com.pub -pubout -outform PEM
Don’t send any email yet. Exim4 will start using this private key immediately, and it will sign your email. But you haven’t setup your DNS yet.
Add DKIM public key to your DNS
You need to add your DKIM public key to your domain’s DNS. This is how a remote server can lookup the public key to check the signature your server has added to your email.
Open the example.com.pub file generated above.
Now if you send email to an email account not on your server, you should see a Dkim-Signature header in it. It will start with —–BEGIN PUBLIC KEY—– and end with —–END PUBLIC KEY—–. The line in between are your public key!
Create a new DNS record on your domain using the DKIM selector you chose above. In my example this is mydkim, so the record we add is for mydkim._domainkey.example.com.
The DNS record type is TXT. You should already have an SPF record of type TXT. If you don’t, google SPF records.
The value of the TXT record starts with:
v=DKIM1; k=rsa; p=
Directly after the last =, paste each line of your public key with no new lines. So it all ends up on one line.
e.g. v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAPUE4hEV7wSh7v9s/NrhbJu7k1/Jqr3Mt7pspT6o7c/Q+GFP1Ko7VA0I12RYB+PeFUE+3i3yu1fsmzGn92GdhKd2nObZbs06Rynm48yVPmzXV2pEptebfOTfAdsJh3rryB0HQnPx+H1gKww1/nUagYlUjktBL7sRDGdjNqTIxYwIDAQAB
Save that DNS record.
If you want to verify that it worked, try this command-line tool:
dig txt mydkim._domainkey.example.com
Of course you probably need to wait for your DNS to update. If you know the primary DNS server for your domain, try querying that directly if you’re impatient.
Testing
Now exim4 is signing your email, and you’ve setup your domain, so it’s time to send a test email.
Send an email to [email protected] and in a few seconds you’ll receive an email back summarising the findings about your email. With luck you’ll have passed the DKIM check. If the DKIM check failed, scroll down to read why. If it is because the _domainkey subdomain we added doesn’t exist, perhaps you need to wait a little longer for the DNS to propagate. Check though that it reports the same subdomain that you added! This will confirm that you have set your DKIM selector correctly.
Now send an email to yourself on another email server, e.g. a gmail address. Check that the received email contains a Dkim-Signature header. That’s the magic bit.
Adding additional domains
When you want to add DKIM signing for additional domains, repeat the Generate DKIM keys, Add DKIM public keys to your DNS and Testing steps. You don’t need to configure exim4 anymore as it’s setup for as many domains as you like.