Emilio López

Personal blog & projects

16 May 2013, 11:47

How to configure DKIM on exim

under System administration

DKIM (DomainKeys Identified Mail, not to be confused with DomainKeys) is a method for associating a domain name to an email message, allowing a person or organization to claim some responsibility for the message. By using a digital signature, the recipient can check if an email actually originated from a certain domain; this can be useful to prevent phishing and spam.

If you are running an exim4 instance as a SMTP server for your domain, you can configure DKIM signing on your outgoing email in four easy steps. This guide is based on Debian, but it should not vary much if you are using some other distribution.

First, you will need to generate a private and public key for your exim to use, and keep it secure.

$ mkdir -p /etc/exim4/dkim
$ chown Debian-exim:Debian-exim /etc/exim4/dkim/
$ chmod 500 /etc/exim4/dkim/
$ openssl genrsa -out /etc/exim4/dkim/yourdomain.com.private.key 2048
$ openssl rsa -in /etc/exim4/dkim/yourdomain.com.private.key -pubout

The last command will print your public key, copy it somewhere handy as you will be needing it soon.

After our keys are ready, we will need to create a TXT record on the domain's nameservers. Choose a simple word (like exim, mail or key) to use as our selector; I chose exim in this example:

exim._domainkey TXT "v=DKIM1; k=rsa; p=<your public key here, all in one line>"

For example, Google's TXT record has selector 20120806 and looks like

20120806._domainkey.googlegroups.com. 3600 IN TXT "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb2fhKQxJYmlF+PNnOExrd8kRMlV2b/GBb1mw4vpTGDVS8wD+6k8TEXSSsaS2B4uOrOfKBWBb6lMVbVmi/zy3Jc+YP5XkEt09UtXm4HWeAqgu0arqCmjH6yhbUGlPipIqVQMmWy5jnWJsHioAAN8G5S5t5qrCRzxv7ntDOOUhwEPCIIrfncOgBzF4XdJPiuanUNOX5Jw5Q2H3wcOmBTKQ3t0ETvPYK/cqpe7rJ+4L06+QKE2kk/WDuHuxtSZbZUo2U6kM56CGxdvBiNRfPLoMFnMddCQqXYJsJZJHfwBnLQxFwbkZS0idkSWLf8AUKbB0lVWQe4+F0M1CeOj8YimmQIDAQAB"

On most DNS Managers, you can enter exim._domainkey as the name and the string in quotes as the value.

Once the public key is available on DNS, you can now configure exim to sign outgoing emails; open /etc/exim4/conf.d/transport/10_exim4-config_transport-macros with your favorite editor and add the following (remember to use the same selector you used on the DNS record)

DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/yourdomain.com.private.key
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_SELECTOR = exim

You can now restart exim and test your DKIM signature by sending an email to check-auth at verifier.port25.com

Hat tip to pienso luego insisto for the easy to follow guide in Spanish I used when doing this the first time.