{{tag>mail}}

====== Add DKIM and DMARC to exim4 MTA ======
===== Create keys =====

   openssl genrsa -out dkim.private.key 1024

   openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform PEM

Check what configuration type is being used

   grep "db_use_split_config" /etc/exim4/update-exim4.conf.conf

If the line says "true" then see [[#Split config]], else follow [[#Single file config]]
==== Split config ====

Create file /etc/exim4/conf.d/main/00_local_macros with these variables:

   DKIM_CANON = relaxed
   DKIM_SELECTOR = www
   DKIM_DOMAIN = example.com
   DKIM_PRIVATE_KEY = /etc/exim4/dkim.private.key

==== Single file config ====

At beginning of /etc/exim4/exim4.conf.template insert above variables.
===== Update configuration =====

   update-exim4.conf
   service exim4 restart

===== On DNS server create new TXT record =====

   www._domainkey                  IN      TXT     "v=DKIM1\; k=rsa\; o=~\;     p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcUXcOEEt5daq1PE7PuDYoq2f5Hna51Nicby9J9ZCQNHPbozJjA2nelm51j754o0wQ6zjoM4sL+XL0a4CouAcNSvgjJaZ050e7akEwfYgOZ3OFyC6F8YfBlpHv3HFwhGZ0UNAqQ3DGA7nga7Ybmsxk/9XDhZnlLtKk4KhlAUrVSQIDAQAB\;"

p contains the public key.
===== Reload bind and send test email =====

   named-checkzone example.com /etc/bind/example.com.zone
   systemctl reload bind9.service
   systemctl status bind9.service
   
===== Test =====
Visit http://dkimvalidator.com/ and send email to random address, ex.

   echo "This is a test." | mail -s Test8 Q4yy4YbE613Rrd@dkimvalidator.com
   

Another test site is https://www.mail-tester.com/ and https://www.unlocktheinbox.com (send email to mailtest@unlocktheinbox.com).

===== DMARC =====

For DMARC you can add to DNS zone this as well:

   _dmarc                          IN      TXT     "v=DMARC1\; p=none\; adkim=r\; aspf=r\; rua=mailto:admin@example.com\;"



====== Tested on ======
  * Debian 7 Wheezy

====== See also ======
  * [[Openssl commands]]
  * [[wiki:receive_dmarc_reports_different_domain|Receive dmarc reports to different domain]]
  * [[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide|DMARC and DKIM operation from Microsoft Docs]]
  * [[https://dmarcly.com/blog/how-to-implement-dmarc-dkim-spf-to-stop-email-spoofing-phishing-the-definitive-guide|Very nice comprehensive guide on SPF, DKIM and DMARC]]

[[https://www.unlocktheinbox.com/dmarcwizard/|DMARC generator wizard]]
====== References ======
  * https://mikepultz.com/2010/02/using-dkim-in-exim/
  * https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
  * http://www.exim.org/exim-html-current/doc/html/spec_html/ch-dkim_and_spf.html#SECDKIMSIGN
  * https://debian-administration.org/article/720/Tying_together_SPF_and_DKIM_with_DMARC