DKIM-checking requires no additional software to be installed, but it does have a slightly complex configuration.
Edit /etc/exim4/conf.d/acl/00_exim4-config_header, adding the following to the start of the file:
acl_smtp_dkim = acl_check_dkim
All being well this will then be the complete contents:
acl_smtp_dkim = acl_check_dkim ###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl
After this create the file /etc/exim4/conf.d/acl/10_local_dkim_check, with this content:
acl_check_dkim: # Deny failures deny dkim_status = fail logwrite = DKIM test failed: $dkim_verify_reason add_header = X-DKIM: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad. # Deny invalid signatures deny dkim_status = invalid add_header = X-DKIM: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid. # Accept valid/passed sigs accept dkim_status = pass logwrite = DKIM test passed add_header = X-DKIM: DKIM passed: (address=$sender_address domain=$dkim_cur_signer), signature is good. # And anything else. accept
NOTE: Incoming emails will have a new header X-DKIM added to them
Restart exim4.
update-exim4.conf service exim4 restart
Log-entries will look like this:
.. 2015-08-02 19:34:06 1ZLy5G-0001rA-Lh DKIM: d=googlemail.com s=20120113 c=relaxed/relaxed a=rsa-sha256 [verification succeeded] 2015-08-02 19:34:06 1ZLy5G-0001rA-Lh DKIM test passed 2015-08-02 19:34:06 1ZLy5G-0001rA-Lh <= john@googlemail.com .. ..
Logging will end up in the mailserver logfile (/var/log/exim4/mainlog).