opendkim-genkey(8)(The Trusted Domain Project) opendkim-genkey(8)

     NAME
          opendkim-genkey - DKIM filter key generation tool

     SYNOPSIS
          opendkim-genkey [options]

     DESCRIPTION
          opendkim-genkey generates (1) a private key for signing mes-
          sages using opendkim(8) and (2) a DNS TXT record suitable
          for inclusion in a zone file which publishes the matching
          public key for use by remote DKIM verifiers.

          The filenames of these are based on the selector (see
          below); the private key will have a suffix of ".private" and
          the TXT record will have a suffix of ".txt".

          Both long and short names are supported for most options.

     OPTIONS
          -a   (--append-domain) Appends the domain name (see -d
               below) to the label in the generated TXT record, fol-
               lowed by a trailing period.  By default it is assumed
               the domain name is implicit from the context of the
               zone file, and is therefore not included in the output.

          -b bits
               (--bits=n) Specifies the size of the key, in bits, to
               be generated.  The upstream default is 1024 which is
               the value recommended by the DKIM specification, but in
               Debian the default is 2048 based on more current recom-
               mendations such as those from NIST 800-177.

          -d domain
               (--domain=string) Names the domain which will use this
               key for signing.  Currently only used in a comment in
               the TXT record file.  The default is "localhost".

          -D directory
               (--directory=path) Instructs the tool to change to the
               named directory prior to creating files.  By default
               the current directory is used.

          -h algorithms
               (--hash-algorithms=name[:name[...]])  Specifies a list
               of hash algorithms which can be used with this key.
               Upstream, by default all hash algorithms are allowed,

     Page 1                       Plan 9             (printed 5/24/22)

     opendkim-genkey(8)(The Trusted Domain Project) opendkim-genkey(8)

               but in Debian this is restricted to sha256 based on
               NIST 800-177.

          --help
               Print a help message and exit.

          -n note
               (--note=string) Includes arbitrary note text in the key
               record.  By default, no such text is included.

          -r   (--restrict) Restricts the key for use in e-mail sign-
               ing only.  The default is to allow the key to be used
               for any service.

          -s selector
               (--selector=name) Specifies the selector, or name, of
               the key pair generated.  The default is "default".

          -S   (--[no]subdomains) Disallows subdomain signing by this
               key.  By default the key record will be generated such
               that verifiers are told subdomain signing is permitted.
               Note that for backward compatibility reasons, -S means
               the same as --nosubdomains.

          -t   (--[no]testmode) Indicates the generated key record
               should be tagged such that verifiers are aware DKIM is
               in test at the signing domain.

          -v   (--verbose) Increase verbose output.

          -V   (--version) Print version number and exit.

     NOTES
          Requires that the openssl(8) binary be installed and in the
          executing shell's search path.

     VERSION
          This man page covers the version of opendkim-genkey that
          shipped with version 2.11.0 of OpenDKIM.

     COPYRIGHT
          Copyright (c) 2007, 2008 Sendmail, Inc. and its suppliers.
          All rights reserved.

     Page 2                       Plan 9             (printed 5/24/22)

     opendkim-genkey(8)(The Trusted Domain Project) opendkim-genkey(8)

          Copyright (c) 2009, 2011-2013, The Trusted Domain Project.
          All rights reserved.

     SEE ALSO
          opendkim(8), openssl(8)

          RFC6376 - DomainKeys Identified Mail

     Page 3                       Plan 9             (printed 5/24/22)