Table of Contents

Exim4 - Setup Exim4 with DKIM

A DKIM record is used to validate the actual email itself. This ensures the message wasn’t tampered with even if it did come from a valid mail server.

See Domain Keys Identified Mail (DKIM).

Create keys

mkdir /etc/exim4/keys
chown -R Debian-exim:adm keys
openssl genrsa -out dkim.key 1024
openssl rsa -in dkim.key -out dkim.pub -pubout -outform pem
chmod 600 /etc/opendkim/dkim.key

Create a DKIM record

A DKIM record such as the following is needed: “v=DKIM1; k=rsa; p=[Your public key]”

Get your public key:

cat dkim.pub

returns

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHKj656cdca3dkJNFw5Lji63O+
R+sZWDdWiHUcwnf40sSEarmShXG8u3o6QwaDAiaVAboIpUDa0I68Lz+aP2Ws9Y5w
tE9jPO57QeGjDdByX6nXrvBgOAyZ072oF70+C3VqkN3zjA1YNuMjP5ugjo6B4sds
DR5MBOcVHc3wNFZ1FwIDAQAB
-----END PUBLIC KEY-----

Replace the “p=“ section with your own public key without any line breaks.

Now create a new file /etc/exim4/dkim_vhosts. Here you would list out all the virtual hosts and allowed sender addresses in your domains. For example:

/etc/exim4/dkim_vhosts
*@sharewiz.net: sharewiz.net
admin@example.com: example.com

Now edit /etc/exim4/conf.d/transport/30_exim4_config_remote_smtp. The entire file should look something like this:

/etc/exim4/conf.d/transport/30_exim4_config_remote_smtp
remote_smtp_dkim:
  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
  driver = smtp
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
 
dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_vhosts}}
dkim_selector = mail
dkim_private_key = /etc/exim4/keys/dkim.key
dkim_canon = relaxed
dkim_strict = false
#dkim_sign_headers = DKIM_SIGN_HEADERS

Restart Exim4

sudo service exim4 restart

Now just send a test email it shouldn't be marked as spam anymore!

IMPORTANT: The sender email should be valid, that includes “no-reply” addresses.

References

Domain Keys Identified Mail (DKIM)