opendkim-genkey - DKIM filter key generation tool
opendkim-genkey [options]
opendkim-genkey generates (1) a private key for signing
messages using opendkim(8) and (2) a DNS TXT record suitable for
inclusion in a zone file which publishes the matching public key for use by
remote DKIM verifiers.
The filenames of these are based on the selector (see below); the
private key will have a suffix of ".private" and the TXT record
will have a suffix of ".txt".
Both long and short names are supported for most options.
- -a
- (--append-domain) Appends the domain name (see -d below) to the label in
the generated TXT record, followed by a trailing period. By default it is
assumed the domain name is implicit from the context of the zone file, and
is therefore not included in the output.
- -b bits
- (--bits=n) Specifies the size of the key, in bits, to be generated.
The upstream default is 1024 which is the value recommended by the DKIM
specification, but in Debian the default is 2048 based on more current
recommendations such as those from NIST 800-177.
- -d domain
- (--domain=string) Names the domain which will use this key for
signing. Currently only used in a comment in the TXT record file. The
default is "localhost".
- -D directory
- (--directory=path) Instructs the tool to change to the named
directory prior to creating files. By default the current directory
is used.
- -h algorithms
- (--hash-algorithms=name[:name[...]]) Specifies a list of hash
algorithms which can be used with this key. Upstream, by default
all hash algorithms are allowed, but in Debian this is restricted to
sha256 based on NIST 800-177.
- --help
- Print a help message and exit.
- -n note
- (--note=string) Includes arbitrary note text in the key record. By
default, no such text is included.
- -r
- (--restrict) Restricts the key for use in e-mail signing only. The default
is to allow the key to be used for any service.
- -s selector
- (--selector=name) Specifies the selector, or name, of the key pair
generated. The default is "default".
- -S
- (--[no]subdomains) Disallows subdomain signing by this key. By default the
key record will be generated such that verifiers are told subdomain
signing is permitted. Note that for backward compatibility reasons,
-S means the same as --nosubdomains.
- -t
- (--[no]testmode) Indicates the generated key record should be tagged such
that verifiers are aware DKIM is in test at the signing domain.
- -v
- (--verbose) Increase verbose output.
- -V
- (--version) Print version number and exit.
Requires that the openssl(8) binary be installed and in the
executing shell's search path.
This man page covers the version of opendkim-genkey that
shipped with version 2.11.0 of OpenDKIM.
Copyright (c) 2007, 2008 Sendmail, Inc. and its suppliers. All
rights reserved.
Copyright (c) 2009, 2011-2013, The Trusted Domain Project. All
rights reserved.