Update: This article is obsolete as of cPanel 11.32. To enable DKIM support, go to cPanel -> Email Authentication.
Similar to the intentions of SPF records and DomainKeys, DKIM is intended to authenticate a sender
by using a public/private key pair to digitally sign email, therefore increasing deliverability. At this point in time, while SPF records and DomainKeys are supported in cPanel, outgoing authentication with DKIM is not. That being said, please keep the following points in mind while following this tutorial:
- The cPanel developers indicated that DKIM auth will be a feature in 11.32, therefore, when 11.32 is released it’s possible that a few steps in this guide will become obsolete
- cPanel does not recommend or provide support for some of the changes this tutorial will ask you to make. As usual, make these changes at your own risk or use our server consultation services for help
Upgrade Exim
DKIM is supported in Exim 4.70 and higher – the version current at the time this article was written is 4.69. Therefore, you will need to upgrade. Hop over to the below URL, locate the latest version of Exim 4.7x, and navigate to the folder that corresponds with your operating system to find the RPM:
http://httpupdate.cpanel.net/exim/
In this case, we downloaded the RPM from:
http://httpupdate.cpanel.net/exim/4.70-4/centos/5.6/exim-4.70-4_cpanel_maildir.i386.rpm
On your server, run the following command (replace the URL with the one corresponding to the RPM you found)
rpm -Uvh http://httpupdate.cpanel.net/exim/4.70-4/centos/5.6/exim-4.70-4_cpanel_maildir.i386.rpm --nodeps
Now, verify the version:
root@server [~]# rpm -qa |grep -i exim
exim-4.70-4_cpanel_maildir
You’ll also want to keep cPanel from running an Exim update and reverting the version back to 4.69:
touch /etc/eximupdisable
If you have existing domains on this server, make sure to move local and remote domains files back:
mv -f /etc/localdomains.rpmsave /etc/localdomains
mv -f /etc/remotedomains.rpmsave /etc/remotedomains
*If you have trouble installing the RPM due to fetchmail or a conflict with the previously-install Exim package, do
yum remove fetchmail
rpm -e exim-4.69-29_cpanel_maildir (replace with the actual name of the old Exim package)
Install DomainKeys
The topic of how to install DomainKeys was previously covered in this article. Install the keys for each user, or run a loop as shown in the article to install them for all users. The keys will be in: /var/cpanel/domain_keys/[public|private]/$domain .
Configure Exim
Open /etc/exim.conf and near the top, add the following lines:
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /var/cpanel/domain_keys/private/${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
Then scroll down until you see these lines:
remote_smtp:
driver = smtp
Replace this with:
remote_smtp:
driver = smtp
dkim_domain = DKIM_DOMAIN
dkim_selector = default
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = relaxed
dkim_strict = 0
Now, restart Exim:
service exim restart
The additions to exim.conf will use a domain’s key, if the domain has one, to sign each message with DKIM.
Now, keep in mind that cPanel will overwrite these changes during cPanel updates. You have the following options:
- Run chattr +ia /etc/exim.conf, OR:
- Copy /etc/exim.conf to /root/exim.conf and create a file called /scripts/posteximup (and chmod to 700) containing the following code:
scp -p /root/exim.conf /etc/exim.conf
service exim restart
Verify
The easiest way to verify the functionality of your new DKIM setup is to send an email from your server to check-auth@verifier.port25.com . You’ll get an autoresponse back letting you now that everything is working (note that with DKIM, DomainKeys are obsolete so a status of “neutral” is normal)
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham