DOKK / manpages / debian 12 / dkim-rotate / dkim-rotate.1.en
dkim-rotate(1) dkim-rotate(1)

dkim-rotate - rotate and revoke and invalidate DKIM keys

dkim-rotate [options] --new [instance ...]

dkim-rotate [options] --major [instance..]

dkim-rotate [options] --minor [instance ...]

dkim-rotate [options] --status [instance ...]

dkim-rotate [options] --reinstall [instance ...]

dkim-rotate is a tool for managing DKIM (email antispam) keys in a manner that avoids unnecessarily making emails nonrepudiable.

For each instance, dkim-rotate maintains several keys concurrently, using “selectors” in a circular rotation.

See dkim-rotate(7) for the Principles of Operation, and details of how to configure your MTA, DNS, and WWW server.

If no instance is provided, dkim-rotate will operate on all instances matching [a-z][-_0-9a-z]* for which the configuration file /etc/dkim-rotate/instance.zone exists.

See dkim-rotate(5) for details about the instance configuration file.

If an instance is provided and contains a slash, it will be treated as a pathname; otherwise it will be taken as a reference to the configuration file in /etc.

dkim-rotate should normally be run out of cron. It will produce progress information on stdout. It will produce stderr output if and only if something is wrong.

Make progress. Create new keys, advance to using different keys, and reveal old keys, as necessary.
Make progress, but do not advance to using a new key. If you wish your keys to be rotated at particular times of the day or week, you should run with --major at those times, and --minor otherwise.

For example, the suggested/default configuration runs with --major at 0400 local time. The effect is that emails sent on a particular day all cease to be repudiable at the same time.

Make progress, and, additionally, allow the creation of a new instance. Without --new, it is an error if there is a config file, but no recorded state.
Do not make any progress, but force recreation, reinstallation and reload of MTA and DNS output files.
Produce a status report of all the relevant keys. Do not make any changes.

Look for instance configuration files in etc-dir rather than /etc/dkim-rotate.
Look for instance state directories in var-dir rather than /var/lib/dkim-rotate.

Copyright 2022 Ian Jackson and contributors to dkim-rotate.

There is NO WARRANTY.

SPDX-License-Identifier: GPL-3.0-or-later

dkim_rotate(5)">">dkim-rotate(5)
Configuration file
dkim_rotate(7)">">dkim-rotate(7)
Principles of Operation
DKIM Signatures