- DKIM filter key generation tool
generates (1) a private key for signing messages using
and (2) a DNS TXT record suitable for inclusion in a zone
file which publishes the matching public key for use by remote DKIM verifiers.
The filenames of these are based on the selector (see below); the private key
will have a suffix of ".private" and the TXT record will have a
suffix of ".txt".
Both long and short names are supported for most options.
- (--append-domain) Appends the domain name (see -d below) to
the label in the generated TXT record, followed by a trailing period. By
default it is assumed the domain name is implicit from the context of the
zone file, and is therefore not included in the output.
- -b bits
- (--bits=n) Specifies the size of the key, in bits,
to be generated. The upstream default is 1024 which is the value
recommended by the DKIM specification, but in Debian the default is 2048
based on more current recommendations such as those from NIST 800-177.
- -d domain
- (--domain=string) Names the domain which will use
this key for signing. Currently only used in a comment in the TXT record
file. The default is "localhost".
- -D directory
- (--directory=path) Instructs the tool to change to the
named directory prior to creating files. By default the current
directory is used.
- -h algorithms
- (--hash-algorithms=name[:name[...]]) Specifies a list of
hash algorithms which can be used with this key. Upstream, by
default all hash algorithms are allowed, but in Debian this is restricted
to sha256 based on NIST 800-177.
- Print a help message and exit.
- -n note
- (--note=string) Includes arbitrary note text in the
key record. By default, no such text is included.
- (--restricted) Restricts the key for use in e-mail signing
only. The default is to allow the key to be used for any service.
- -s selector
- (--selector=name) Specifies the selector, or name,
of the key pair generated. The default is "default".
- (--[no]subdomains) Disallows subdomain signing by this key.
By default the key record will be generated such that verifiers are told
subdomain signing is permitted. Note that for backward compatibility
reasons, -S means the same as --nosubdomains.
- (--[no]testmode) Indicates the generated key record should
be tagged such that verifiers are aware DKIM is in test at the signing
- (--verbose) Increase verbose output.
- (--version) Print version number and exit.
Requires that the openssl(8)
binary be installed and in the executing
shell's search path.
This man page covers the version of opendkim-genkey
that shipped with
version 2.11.0 of OpenDKIM.
Copyright (c) 2007, 2008 Sendmail, Inc. and its suppliers. All rights reserved.
Copyright (c) 2009, 2011-2013, The Trusted Domain Project. All rights reserved.
RFC6376 - DomainKeys Identified Mail