Update November 2018:
A reader contacted me and pointed out that removing the {} around DKIM_DOMAIN solves the errors in the original example I found and had problems using. I’ve updated the code below (line 8) to reflect those changes in case anyone ends up here via google.
He also shared a nifty way to make selector rollovers easier by adding them to the filename:
1 2 3 4 5 6 7 8 | DKIM_SELECTOR = whatever DKIM_FILE =/etc/exim4/dkim/DKIM_DOMAIN.pem.DKIM_SELECTOR DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} With the format of the key files being .... /etc/exim4/dkim/example.org.pem.previousselector /etc/exim4/dkim/example.org.pem.whatever |
And last but not least an elegant way to populate the DKIM_DOMAIN variable: https://bugs.exim.org/show_bug.cgi?id=1019
Original Posting:
I was recently setting up SPF, DKIM and DMARC for multiple domains and was having trouble getting Exim to sign emails for the different domains. I found an article here explaining the steps. But I kept getting the following error in my exim logs:
failed to expand dkim_private_key: missing or misplaced { or }
The suggested configuration was the following:
1 2 3 4 5 6 7 8 9 10 11 | DKIM_CANON = relaxed DKIM_SELECTOR = 20150726 # Get the domain from the outgoing mail. DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}} # The file is based on the outgoing domain-name in the from-header. DKIM_FILE = /etc/exim4/dkim/DKIM_DOMAIN.pem # If key exists then use it, if not don't. DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} |
I’m not quite sure why, but Exim was having trouble using the macros in the following macros, so I ended up changing it to the following snippet instead. If you don’t use DKIM_FILE you can omit it. Also you might want to set DKIM_STRICT to true if you published a DMARC policy that will reject or quarantine email failing the DKIM tests (unset, or “false” tells Exim to send the message unsigned if it ran into problems signing the email). The default setting for DKIM_CANON is “relaxed“, so it also can be omitted.
1 2 3 4 5 6 | DKIM_CANON = relaxed DKIM_STRICT = false DKIM_SELECTOR = 20160724 DKIM_DOMAIN = ${lc:${domain:$h_from:}} DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.pem DKIM_PRIVATE_KEY = ${if exists {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem} {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem}} |
Other than that, just make sure the exim process has permissions to access the dkim directory and certificate files and everything should work nicely.