Parent Category: Tutorials
Hits: 8370

Since Exim 4.70, DKIM (DomainKeys Indentified Mail – RFC4871) has been supported by default.

The current implementation supports signing outgoing mail, as well as verifying signatures in

incoming messages, using the acl_smtp_dkim ACL. By default, DKIM signatures are verified as

new messages come in, though no action is taken unless you’ve implicitly configured rules in


After installing Exim (>= 4.70), you should see debug logs for incoming mail from servers that

have DKIM signatures setup- they look like:

DKIM: s=gamma c=relaxed/relaxed a=rsa-sha256 [verification succeeded]

Verifying Incoming Mail

By default, Exim does not filter any mail based on the validity of the DKIM signature- it’s up to

you to add ACL rules to control what happens when you receive messages with “bad”


First add an ACL section for the DKIM processing; this should be included with your other ACL


acl_smtp_dkim = acl_check_dkim

Next, after the “begin acl”, section, add your DKIM ACL section, and by default, accept all

messages in this ACL:


Now you need to decide what kind of rules you want to setup- you probably don’t want to

put a rule that applies to all domains- though, if the company went to the trouble of adding

DKIM signatures to their e-mail, you’d hope they’d get it right, and not publish invalid public


For now, let’s add a simple rule for gmail; google knows what they’re doing, so their systems

should be setup correctly:


# check the DKIM signature for gmail
deny     message     = Common guys, what's going on?
sender_domains     =
dkim_signers     =
dkim_status     = none:invalid:fail


You can add as many rules, for whatever domains you want in this ACL.
Signing Outgoing Mail

Now that you’re checking incoming mail, you probably want to sign mail coming out of your


This is a relatively easy process, that I’ve broken down into three steps:

Step1- Generate a private and public key to sign your messages; you can do this easily

with openssl:

#openssl genrsa -out dkim.private.key 768

Then extract the public key from the private key:
#openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform PEM

Step2- Configure the Exim remote-smtp transport to sign outgoing messages, using your

new private key.

You’ll need to pick a domain and a selector for this process.

When remote SMTP servers validate your DKIM signatures, they simply do a DNS look up,

based on the selector and your domain- the domain needs to (obviously) be a valid domain

you own, that you can add DNS entries to, and the selector can be any string you want. So,

forexample, using the domain “”, and the selector “x”, you would add to the

remote_smtp transport in Exim:


driver = smtp
dkim_domain =
dkim_selector = x
dkim_private_key = dkim.private.key
dkim_canon = relaxed

This tells Exim to sign any outbound e-mail, using the domain, the selector

“x”, and the private key we just generated. The dkim_canon = relaxed, sets the canonicalization

method to use when signing messages. DKIM supports “simple” and “relaxed” algorithms- to

understand the difference, see section 3.4 of the DKIM RFC.

Step3- add your DKIM public key to your DNS.

The DKIM public key generated above is advertised to other SMTP servers, using a DNS

TXT record.

In DNS for the domain, add a new TXT record:   TXT v=DKIM1; t=y; k=rsa; p=<public key>

Where “x” is the selector you used above, and <public key> is the public key data

(minus the key header/footer text).

When setup correctly, your DKIM text record should look something like this:
# host -t txt descriptive text "v=DKIM1\; t=y\; k=rsa\; p=MIGfMA0GCS

(lines breaks were added for readability- your entry should be one continuous line)

This DNS record is referred to as the “selector” record; you need to also setup a “policy”

record. The policy record is your domains policy for domain keys- you should start with

something like: t=y; o=~;

The t=y specifies that you are in test mode and this should be removed when you are

certain that your domain key setup is functioning properly. The “~” in the o=~ specifies

that some of the mail from your domain is signed, but not all. You could also specify o=-

if all of the mail coming from your domain will be signed.

Once you have all of that in-place,  restart Exim, and send out a message using the

remote-smtp transport.

You should now see a DKIM-Signature: header listed in the message headers, which

lists your domain (as d=), and selector (as s=), as well as a signature for this e-mail,

which can be validated against your public DKIM key, that you’ve published in DNS.

For more information, see the Exim DKIM page, or the DKIM RFC.

Once you’ve set everything up, you can test your DKIM (and SPF and SenderID, etc)

install, by using the validation service.

Just send an e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it., and it will auto-respond with

a validation report


We use Hosting and VPS Hosting, from:

We like and trust them.

Good prices, high security.