Setting up DKIMproxy with Exim for DKIM and DomainKeys signing

Was your mail ever rejected or tagged as spam because it didn’t have a DKIM signature? You could enable DKIM-signing in Exim, but then, some older mail systems may still use DomainKeys.

Currently, Exim does not support signing mails with both DomainKeys and DKIM. You have to pick one of them, unless you do some tricks with patching Exim or connecting back to itself.

Still though, such setup is not perfect: Exim does not wrap its DomainKeys signature, which may result in SpamAssassin installations tagging your mail with HEAD_LONG rule (“Message headers are very long”) and assigning it 2.5 spam points.

So how to sign mail with DKIM and DomainKeys without negative consequences of being tagged by SpamAssassin for very long headers? DKIMproxy to the rescue!

Exim configuration

Exim should listen on an additional port – make sure you have something similar in your exim.conf file:

Exim should speak TLS only on port 25, otherwise, it won’t be able to communicate with DKIMproxy:

at the beginning of the routers section in exim.conf:

transports section in exim.conf (does not matter where):

DKIMproxy configuration

Download and install DKIMproxy (“./configure; make; make install” after you downloaded and extracted dkim-proxy package, unless your distribution provides it packaged).

Create a /etc/dkimproxy/dkimproxy_out.conf file with similar content:

Make sure DKIMproxy is started when your server boots (add it to your startup scripts):

Place the private key you want to use with DKIMproxy in /etc/dkimproxy/dkim.key.private. If you use cPanel, you may symlink it to a key in /var/cpanel/domain_keys/private/.

DNS configuration

Similar entries will be needed in your DNS zone configuration:

Key generation


You can test it by sending an email to:

[email protected]


If you use cPanel, you will see such entries in your /var/log/exim_mainlog:

This is because /etc/init.d/exim script shipped with cPanel starts two instances of Exim, one of them is listening on port 465 – SMTP over SSL (TLS), but reading the same config file. This conflicts with “local_interfaces = :“. Second instance of Exim will try to bind to port 10025 as well, but will give up after 10 tries.

To fix it, add this to your Exim config file:

And comment out these lines from /etc/init.d/exim:

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.