Right, I’ve been procrastinating about setting up DKIM for a long time now. Earlier today, I tried to send an e-mail to a friend who’s hosted by Hotmail, and I got told to get lost:
2017-06-10 18:48:29 1dJlQy-0007SD-Fk ** email@example.com R=dnslookup T=remote_smtp X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256 DN="CN=*.hotmail.com": SMTP error from remote mail server after MAIL FROM:<firstname.lastname@example.org> SIZE=1814: host mx1.hotmail.com [220.127.116.11]: 550 SC-001 (SNT004-MC1F14) Unfortunately, messages from 18.104.22.168 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
Hey, I am my service provider, so I guess I have to get better? So according to Microsoft, I better add DKIM.
Turns out it’s very, very simple, but took me a couple of
hours. I followed this
for a single domain. It’s all fine except for an error in
the Exim variables: the variable for the path to the private
key is actually
DKIM_PRIVATE_KEY. And make sure the
private key is accessible by Exim (which on Debian means
chmod 664 and
The harder part was to put the public key in DNS. I use
nsd, which used to have a
nsdc command to rebuild its
database. This no longer exists, but basically all the
Internet still talks about that command. The newer versions
nsd just rebuild the database when restarting. The
thing that got me is that if for some reason the config
files aren’t valid, it seems to just keep the previous
database and says nothing. Nothing. Except in
/var/log/syslog. So after way too long, I discovered that
my public key was too long to fit in a single DNS response,
and it needs to be split in the config file, something like
20170610._domainkey IN TXT ("k=rsa ; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2yFnBKm74Pp2vfInF2qQv3k8XGsHlwRqaZK6yx59yx/T0L07bThFTY3BIpVLa1ovcHNUSq3che4htx2r5FLWwGX2Y" "2TfJhAaedjgIt+cHEqq6YuDneeKFF6YudgdIq5XrX5UC2qBg50d/Az4EKZXBwAGfqQg4lZBs5Mnz3sNJSwIDAQAB")
And then you can go to this e-mail tester which will create a temporary test e-mail address for you to send to, whcih will tell you if DKIM works fine. It does!
So now I have DKIM set up for my domain. But Hotmail still won’t accept my mail. I guess I’ll just have to funnel it to a smarthost.
UPDATE: it finally works as explained here.