HAHA, IT IS DONE. WE HAVE BATTLED FOR WEEKS, BUT YOU HAVE FINALLY SUBMITTED. SUBMITTED TO BEING MY SERVANT, TO BEING THE COURIER OF MY MAIL.

AND YOU WILL FUCKING SIGN IT WITH MY DKIM SIGNATURE, FOR I HAVE DECREED IT.

For those of you wondering what the hell that was about, I've recently spent an inordinate amount of time trying to get exim to sign my emails with a DKIM (Domain Keys Identified Mail) signature, in order to reduce the likelihood of it being considered spam.

For those unaware, DKIM (Domain Keys Identified Mail) is a process in which a private key is used to sign the emails prior to their delivery to another mail server. The receiving server can then lookup the domain of the sender to get the public key, which it uses to validate that the email has originated from somewhere controlled by the domain owner.
Effectively, DKIM is a system to ensure that mail is coming from the domain it's proclaiming to be from, because despite what most consumer software might have you believe, anyone can send an email pretending to be from support@apple.com;
it's as simple as

echo "To: user@domain.com
Subject: Password Reset
From: support@apple.com" | sendmail -f "support@apple.com" user@domain.com

Those fairly simple lines would send an email to user@domain.com which for all intents and purposes would appear to be from support@apple.com.
Historically this tended to be a pretty big issue, and is the reason their was so much spam going around in the 90's/00's. More recently, a number of standards have been introduced as a way to validate that a sender is who they say they. Or at least, that their associated with the domain that they say they are (You can do individual sender validation separately, using PGP signing and the web of trust).

The first standard is known as SPF, which is a simple text record associated with the DNS server containing the IP's that can send mail from the specified domain, if an IP is trying to send an email with a from address of apple.com, but the server's IP isn't in the apple.com SPF record, then most modern mail servers will assume the email is spam/phishing and refuse to accept it.

The second standard I'll mention is DKIM, which uses public/private key pairs to verify the email and it's contents. The private key is known only to the server, and is used to sign the emails as they leave, the public key is derived from the private key, and as the name suggests, is made public in a DNS record associated with the domain. Any signature made from the private key can be validated against the public key to ensure that it has in fact originated from the origin that it's proclaiming to.

As an aside, this post started as a rant because I wanted to have a whinge about exims' scripting language, which is the reason I've got SPF/DKIM on my mind.
(My issue with exim's scripting language has to do with the lack of an indicator for variables in strings, as opposed to being a regular part of a string. In the snippet below their's nothing to indicate that DKIM_DOMAIN is actually a variable and not just an uppercase section of the string.)

# Commented below each of the assignments is an example of 
# what it resolves to.
MAIN_TLS_ENABLE = true
DKIM_CANON = relaxed
DKIM_SELECTOR = 20170405
# Get DKIM_DOMAIN /FROM/ outgoing email header
DKIM_DOMAIN = ${sg{$lc:${domain:$h_from:}}}{^www\.}{}}
#DKIM_DOMAIN = rumblelane.com

# use the file associated with the domain
DKIM_FILE = /etc/exim4/dkim/DKIM_DOMAIN-private.pem
#DKIM_FILE = /etc/exim4/dkim/rumblelane.com-private.pem

# if the file doesn't exist, don't use it.
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
#DKIM_PRIVATE_KEY = /etc/exim4/dkim/rumblelane.com-private.pem

In the above code you can see how the configuration looks in exim, we get the domain name (DKIM_DOMAIN) from the sender address, we look for a private key for that domain (DKIM_FILE) and then we set the private key to the file if it exists (DKIM_PRIVATE_KEY), you can also see the selector I've specified for the DKIM record, if I need to support different selectors for different domains in future I could do that with an IF/ELSE IF.

Both standards are, in essence, a way to determine the trust-worthiness of a given communication (in this case, an email), and they do so by publicly declaring that "only communications that originate from these addresses (SPF) or have my signature (DKIM) are from me."

For the curious, you can see my DKIM record here, and my SPF record here (It's the second, the first is my keybase verification).