Right, I’ve been procrastinating about setting up DKIM for a long time now. Earlier today, I tried to send an e-mail to a friend who’s hosted by Hotmail, and I got told to get lost:

2017-06-10 18:48:29 1dJlQy-0007SD-Fk ** myfriend@hotmail.com R=dnslookup T=remote_smtp X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256 DN="CN=*.hotmail.com": SMTP error from remote mail server after MAIL FROM:<yves@rutschle.net> SIZE=1814: host mx1.hotmail.com [65.55.92.136]: 550 SC-001 (SNT004-MC1F14) Unfortunately, messages from 212.47.237.232 weren't sent.  Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.

Hey, I am my service provider, so I guess I have to get better? So according to Microsoft, I better add DKIM.

Turns out it’s very, very simple, but took me a couple of hours. I followed this tutorial for a single domain. It’s all fine except for an error in the Exim variables: the variable for the path to the private key is actually DKIM_PRIVATE_KEY. And make sure the private key is accessible by Exim (which on Debian means chmod 664 and chgrp Debian-exim).

The harder part was to put the public key in DNS. I use nsd, which used to have a nsdc command to rebuild its database. This no longer exists, but basically all the Internet still talks about that command. The newer versions of nsd just rebuild the database when restarting. The thing that got me is that if for some reason the config files aren’t valid, it seems to just keep the previous database and says nothing. Nothing. Except in /var/log/syslog. So after way too long, I discovered that my public key was too long to fit in a single DNS response, and it needs to be split in the config file, something like that:

20170610._domainkey IN TXT ("k=rsa ; p="
 "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2yFnBKm74Pp2vfInF2qQv3k8XGsHlwRqaZK6yx59yx/T0L07bThFTY3BIpVLa1ovcHNUSq3che4htx2r5FLWwGX2Y"
"2TfJhAaedjgIt+cHEqq6YuDneeKFF6YudgdIq5XrX5UC2qBg50d/Az4EKZXBwAGfqQg4lZBs5Mnz3sNJSwIDAQAB")

And then you can go to this e-mail tester which will create a temporary test e-mail address for you to send to, whcih will tell you if DKIM works fine. It does!

So now I have DKIM set up for my domain. But Hotmail still won’t accept my mail. I guess I’ll just have to funnel it to a smarthost.

UPDATE: it finally works as explained here.