DKIM on Multiple Domains With Exim4

DomainKeys Identified Mail is an important email validation system. Here’s how we got multiple domain signings on one server running Exim4 internet mailer.


First off, we’re going to assume that you’ve already set up Exim4 on your server and have already done the general configuration for it. It should be working and ready to go. We’ll get DKIM set up so that we can have signed email from multiple domains — each signed by their respective TLDs.

Getting DKIM set up

Let’s get our keys generated.

# Make your DKIM directory
$ mkdir /etc/exim4/dkim

# Head on inside that directory
$ cd /etc/exim4/dkim

# Generate the private key. Change obstance.com.pem to one of your domain names.
# Repeat this step for each domain name
$ openssl genrsa -out obstance.com.pem 1024

# Generate the public key by extracting from the private key.
# Repeat this step for each domain name
$ openssl rsa -in obstance.com.pem -pubout > obstance.com.pub

# Set the permissions
$ chown -R Debian-exim:Debian-exim /etc/exim4/dkim/
$ chmod 640 /etc/exim4/dkim/*

Remember to repeat the process of generating private/public keys for each of your domain names. Now open up /etc/exim4/exim4.conf.template . This is if you’re not using the split configuration in Exim4. You chose this during the initial set up. If you are using split config, open up this file instead: /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp . Find the line below:

#####################################################
### end transport/30_exim4-config_remote_smtp
#####################################################

Above that, add:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_SELECTOR = mail
DKIM_CANON = relaxed

Now let’s restart Exim4. /etc/init.d/exim4 restart

Adding the TXT DNS record

The last step we need to do is edit our DNS and add a TXT record. Normally, we’ll have two fields: a name field, and a text/value field. In the name field, you’ll add mail._domainkey . Note mail._ there. That’s the value we added to DKIM_SELECTOR, so if you changed that value, change mail._ to reflect that. Name: mail._domainkey Text:

"v=DKIM1; p=MIGfMA0CGSqGSIb3DQEBAQUAA4GNADCBiQKBgQDecXeuzMCtnWstzeQ3Rtib3Qm47BAtzDuNai+ybuDin7sGzCpa9ukrtWTzRejWwfPWO6UgCaCrM1NqCnt2xt0v6RrhUm1ufHCtpuFAYJ9ubdcxdyo/Xwv2tAa5K748YzuIAI3fio8RFQ3flKJowCsg9wDjCSvjUm3NMPfebeR9PwIDAQAB"

The text field above is our public key, while Exim4 has the location of our private key defined in its config file. You can open the .pub file with any editor of your choice, whether through the command line or something like FileZilla. The entire file will look something like this:

-----BEGIN PUBLIC KEY-----
MIGfMA0CGSqGSIb3DQEBAQUAA4GNADCBiQKBgQDecXeuzMCtnWstzeQ3Rtib3Qm4
7BAtzDuNai+ybuDin7sGzCpa9ukrtWTzRejWwfPWO6UgCaCrM1NqCnt2xt0v6Rrh
Um1ufHCtpuFAYJ9ubdcxdyo/Xwv2tAa5K748YzuIAI3fio8RFQ3flKJowCsg9wDj
CSvjUm3NMPfebeR9PwIDAQAB
-----END PUBLIC KEY-----

Carefully remove the line breaks when adding this to your TXT record. It needs to be in a single line. Use this same name selector for all of your domains, but repeat the public key portion for each domain name, as they need to match their private key counterparts.

SPF record

If you don’t already have an SPF record, do that as well: Name: @ Text: “v=spf1 ip4:yourserverIPaddress ~all” Change yourserverIPaddress to your server’s actual IP address.

Test your SPF + DKIM

I ran across this site during a Google search, which is a great tool to see if you’ve got things set up right: https://www.mail-tester.com/spf-dkim-check Simple enter your domain name and DKIM selector, then check the results below. If everything looks okay, we can move onto actually testing the email headers that are sent. If you have a Gmail or Yahoo! email account, you can see if your emails are being signed correctly by sending an email to yourself. Using the command line,

echo "This is a test." | mail -s Testing youremail@gmail.com

Alternatively, send an email to check-auth@verifier.port25.com and you’ll receive a report back instantly.