This site is now 100% read-only, and retired.

XML logo

Supporting multiple DKIM domains under Exim
Posted by lee on Fri 7 Jan 2011 at 19:48
Tags: , ,
UPDATE: a later entry uses a simplified config.

Support for DKIM signing in Exim is available since version 4.70, and the configuration supplied with Debian makes it fairly straightforward to implement. However it suggests an all or nothing configuration wherein all outgoing mail is signed with the same domain authority.

Where multiple domains are used it may be necessary to selectively switch on DKIM signing, and be able to specify the signing domain. The following details provide a mechanism to do so within the standard Debian Exim configuration.

(This assumes that the keys have been created and the requisite records have been added to DNS for the affected domains. It also assumes a split config.)

Set up a simple look up file such as /etc/exim4/dkim_senders


This config should mean that anything sent from any address at is signed as, but only will be signed with the key. If default DKIM is not enabled, then no other mail will be signed.

Now create a new router that sits in front of the main router for external main (whatever uses remote_smtp as a transport e.g. dnslookup) such as /etc/exim4/conf.d/router/180_local_primary_dkim (basically a copy of dnslookp with a modified transport)

  debug_print = "R: dnslookup_dkim for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  senders = lsearch*@;/etc/exim4/dkim_senders
  transport = remote_smtp_dkim
  same_domain_copy_routing = yes
  # ignore private rfc1918 and APIPA addresses
  ignore_target_hosts = : : :\
               : : :\
Then add in a new transport /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim (basically a modified version of remote_smtp)
  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
  driver = smtp
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
dkim_selector = yourhostname
dkim_private_key = /etc/ssl/private/dkim.key
dkim_canon = relaxed
dkim_strict = false
#dkim_sign_headers = DKIM_SIGN_HEADERS
I've left the selector and keys the same since there doesn't appear to be any problem sharing these across domains, but these could also be found via lookups if needed.


Comments on this Entry

Thanks and small errata
Posted by Hulotte (86.198.xx.xx) on Sun 9 Jan 2011 at 00:42
I might have I've found two small mistakes:
  • The file /etc/exim4/dkim_senders should contain :
    This way it works as descriibed.
  • The transport file 30_local_remote_smtp_dkim should be in the folder /etc/exim4/conf.d/transport/.
Anyway, thanks for sharing this technique :)

[ Parent ]

Re: Thanks and small errata
Posted by lee (90.193.xx.xx) on Sun 9 Jan 2011 at 13:19
[ View Weblogs ]

The entry "" should be interpreted by the transport router as "*" because the search type in the transport is specified as "lsearch*@" (See Exim Documentation Chapter 9.6)

The location of the transport file was indeed a bad cut-n-paste and has been amended in the article, thanks.

[ Parent ]

Re: Thanks and small errata
Posted by lee (90.193.xx.xx) on Sun 9 Jan 2011 at 13:30
[ View Weblogs ]

Oddly, according to the documentation, an ""@" needs to appear in the entry but I'm using the file without one and it still seems to work (a quirk of how senders is queried?). I've modified the entry to suggest "*@".

[ Parent ]

Re: Supporting multiple DKIM domains under Exim
Posted by Anonymous (121.44.xx.xx) on Fri 14 Jun 2013 at 13:31
Thank you!!!

This was doing my head in. Whilst not using debian, it helped me with adding the stuff I needed in my exim router and transports on a freebsd system.

[ Parent ]

Re: Supporting multiple DKIM domains under Exim
Posted by Anonymous (59.164.xx.xx) on Mon 7 Jul 2014 at 20:35

I want to setup DKIM for multiple domains and followed the procedure which you have mentioned. after this coinfiguration when I restart exim4, it shows -

/etc/init.d/exim4 restart
[....] Stopping MTA for restart:2014-07-07 19:11:22 Exim configuration error:
there are two transports called "remote_smtp_dkim"
Invalid new configfile /var/lib/exim4/config.autogenerated.tmp, not installing
/var/lib/exim4/config.autogenerated.tmp to /var/lib/exim4/config.autogenerated

why am I getting this error? Please help!!

[ Parent ]

Re: Supporting multiple DKIM domains under Exim
Posted by nitram (93.185.xx.xx) on Wed 15 Apr 2015 at 16:46
Thank you Lee !

[ Parent ]