DKIM will sign outbound message, and receiving servers will check that signature against DNS records added to your zone to verify the signature and lower the spam score if it passes.
Assumes you’ve got /etc/exim.conf 4.5.x or newer.
Turn it on
- Enable it in the exim configs and exim:
Turn it on required domains
Note: The dkim=2 setting, above, will not turn on DKIM for a domain when it’s created. It simply makes the feature available to Users, so they can turn it on if they use local DNS for their domain. Using dkim=1 means that it will be activated immediately when a domain is created on the system. Only use dkim=1 if all domains use local DNS. If external DNS is used, the DKIM TXT records must be copied over to the remote DNS, else the outbound emails will be signed but will fail since the dns checks will fail, which is actually far worse than having no DKIM at all.
1) Ensure the exim supports DKIM signging:
where we want to see DKIM in the list.
If exim does not support DKIM, then re-compile exim.
2) Add it to exim
Then edit your /etc/exim.conf, and find the code:
and change it to look like
and restart exim
Note, that newer exim.conf files will not require manual editing of the exim.conf (code will already exist)
3) Turn in on in DirectAdmin.
making absolutely sure that you’re using two >> characters, else you’ll empty your directadmin.conf.
And confirm it’s set, and restart DA:
4) At this point, any domain created after the change should have the DKIM keys created, and dns zones updated.
For existing domains, you can either enable it individually for each domain, one-by-one:
5) or you can enable it for all of your domains like this:
but it may be a good idea to test it out manually with 3) first, to ensure it works correctly.
Note: the dkim_create.sh script itself doesn’t touch the zone. It uses a task.queue entry to have the dataskq add the dns entry based on the keys that the dkim_create.sh script created. As such, it may take up to one minute for the records to be added.
Important: If any of your domains are hosted using an external DNS server that DA does not control, you MUST manually add the TXT records to the remote zones. You can copy them over as needed. If the DNS does not have the records, but your emails are signed, this may increase the spam score of those emails, which is the opposite of what we want.
If you need to disable dkim on a per-User basis, you can do so with this feature: