DKIM is a system for cryptographically signing messages and confirming they were sent from a sending server authorized at domain level. A private and public key pair is generated. The private key is used to sign the messages, and the public key is published as a DNS TXT record for the domain name. This allows recipients to electronically verify that mail claiming to be from domain was actually sent by a server authorized to send mail on behalf of that domain. Implementing DKIM into a mail system increases trust and deliverability.

Setting up Exim to sign outgoing mail under DKIM (Domain Keys Identified Mail) is a reasonably quick and simple task. Assuming you’re using an up to date version of Debian with Exim4, the process is even easier.

First, configure your Exim4 system as normal, however ensure that you specify “one large configuration file” rather than “multiple smaller configuration files”

dpkg-reconfigure exim4-config

Will allow you to return to the basic configuration menu if you already have Exim installed. If not, install it with

apt-get install exim4

Now, come up with a random “selector” – anything you want. Let’s pick 27564764 as an example. Anywhere you see 27564764 used in this tutorial, replace with your own choice. You now need to generate some keys:

cd /etc/exim4/
openssl genrsa -out dkim.27564764.key 1024
openssl rsa -in dkim.27564764.key -out dkim.27564764.pub -pubout -outform PEM

Now, Exim needs to be configured to sign your outbound messages using your private key. Create or edit the file /etc/exim4/conf.d/main/00_localmacros, to include:

DKIM_CANON = relaxed
DKIM_SELECTOR = 27564764
DKIM_PRIVATE_KEY = /etc/exim4/dkim.27564764.key
DKIM_DOMAIN = ${lc:${domain:$h_from:}}

Now run

update-exim4.conf
/etc/init.d/exim4 stop
/etc/init.d/exim4 start

Lastly, you’ll need to publish your DNS TXT record, including your public key so your server’s signatures can be verified again your domain. Assuming your domain name is “yourdomain.com”, create a TXT record for subdomain 27564764._domainkey.yourdomain.com

Now you’ll need your public key. Your public key is found in /etc/exim4/dkim.27564764.pub. My public key is:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4cQmMa9+Tz5GV7zE640GD/qPxqPUCdWM+L1Pw68t15kKkH7+oeprmgg5SpL0gwGDTXVqU45Mdoz054nlkIj1wyXNi9+x8W7fzXzT2fWlfFjHIrMb0MufvQg4xKpLneQm6migIRvjhxlmtTZxSqeBxP3Ou6Vfd/AlqJ5MXgc1z6wIDAQAB

The value of the TXT record is: “v=DKIM1;p=PUBLIC_KEY”. In my case, that’s:

v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4cQmMa9+Tz5GV7zE640GD/qPxqPUCdWM+L1Pw68t15kKkH7+oeprmgg5SpL0gwGDTXVqU45Mdoz054nlkIj1wyXNi9+x8W7fzXzT2fWlfFjHIrMb0MufvQg4xKpLneQm6migIRvjhxlmtTZxSqeBxP3Ou6Vfd/AlqJ5MXgc1z6wIDAQAB

Once set, you can verify your record:

root@w:/etc/exim4# host -t txt 27564764._domainkey.yourdomain.com
27564764._domainkey.yourdomain.com descriptive text "v=DKIM1\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4cQmMa9+Tz5GV7zE640GD/qPxqPUCdWM+L1Pw68t15kKkH7+oeprmgg5SpL0gwGDTXVqU45Mdoz054nlkIj1wyXNi9+x8W7fzXzT2fWlfFjHIrMb0MufvQg4xKpLneQm6migIRvjhxlmtTZxSqeBxP3Ou6Vfd/AlqJ5MXgc1z6wIDAQAB"

Finally, test your functionality and review further improvements at http://www.mail-tester.com/