====== Exim4 - Setup Exim4 with DKIM ======

A DKIM record is used to validate the actual email itself.  This ensures the message wasn’t tampered with even if it did come from a valid mail server.

See [[Bind:Domain Keys Identified Mail (DKIM)|Domain Keys Identified Mail (DKIM)]].

===== Create keys =====

<code bash>
mkdir /etc/exim4/keys
chown -R Debian-exim:adm keys
openssl genrsa -out dkim.key 1024
openssl rsa -in dkim.key -out dkim.pub -pubout -outform pem
chmod 600 /etc/opendkim/dkim.key
</code>


===== Create a DKIM record =====

A DKIM record such as the following is needed: "v=DKIM1; k=rsa; p=[Your public key]"

Get your public key:

<code bash>
cat dkim.pub
</code>

returns

<code>
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHKj656cdca3dkJNFw5Lji63O+
R+sZWDdWiHUcwnf40sSEarmShXG8u3o6QwaDAiaVAboIpUDa0I68Lz+aP2Ws9Y5w
tE9jPO57QeGjDdByX6nXrvBgOAyZ072oF70+C3VqkN3zjA1YNuMjP5ugjo6B4sds
DR5MBOcVHc3wNFZ1FwIDAQAB
-----END PUBLIC KEY-----
</code>

Replace the **"p="** section with your own public key without any line breaks.

Now create a new file **/etc/exim4/dkim_vhosts**.  Here you would list out all the virtual hosts and allowed sender addresses in your domains. For example:

<file bash /etc/exim4/dkim_vhosts>
*@sharewiz.net: sharewiz.net
admin@example.com: example.com
</file>

Now edit /etc/exim4/conf.d/transport/30_exim4_config_remote_smtp.  The entire file should look something like this:

<file bash /etc/exim4/conf.d/transport/30_exim4_config_remote_smtp>
remote_smtp_dkim:
  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
  driver = smtp
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
 
dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_vhosts}}
dkim_selector = mail
dkim_private_key = /etc/exim4/keys/dkim.key
dkim_canon = relaxed
dkim_strict = false
#dkim_sign_headers = DKIM_SIGN_HEADERS
</file>


===== Restart Exim4 =====

<code bash>
sudo service exim4 restart
</code>

Now just send a test email it shouldn't be marked as spam anymore! 

<WRAP important>
**IMPORTANT**: The sender email should be valid, that includes "no-reply" addresses.
</WRAP>


===== References =====

[[Bind:Domain Keys Identified Mail (DKIM)|Domain Keys Identified Mail (DKIM)]]