opendkim-genkey(8) System Manager's Manual opendkim-genkey(8)
NAME
opendkim-genkey - DKIM filter key generation tool
SYNOPSIS
opendkim-genkey [options]
DESCRIPTION
opendkim-genkey generates (1) a private key for signing messages using
opendkim(8) and (2) a DNS TXT record suitable for inclusion in a zone
file which publishes the matching public key for use by remote DKIM
verifiers.
The filenames of these are based on the selector (see below); the pri-
vate key will have a suffix of ".private" and the TXT record will have
a suffix of ".txt".
Both long and short names are supported for most options.
OPTIONS
-a (--append-domain) Appends the domain name (see -d below) to the
label in the generated TXT record, followed by a trailing pe-
riod. By default it is assumed the domain name is implicit from
the context of the zone file, and is therefore not included in
the output.
-b bits
(--bits=n) Specifies the size of the key, in bits, to be gener-
ated. The upstream default is 1024 which is the value recom-
mended by the DKIM specification, but in Debian the default is
2048 based on more current recommendations such as those from
NIST 800-177.
-d domain
(--domain=string) Names the domain which will use this key for
signing. Currently only used in a comment in the TXT record
file. The default is "localhost".
-D directory
(--directory=path) Instructs the tool to change to the named di-
rectory prior to creating files. By default the current direc-
tory is used.
-h algorithms
(--hash-algorithms=name[:name[...]]) Specifies a list of hash
algorithms which can be used with this key. Upstream, by de-
fault all hash algorithms are allowed, but in Debian this is re-
stricted to sha256 based on NIST 800-177.
--help Print a help message and exit.
-n note
(--note=string) Includes arbitrary note text in the key record.
By default, no such text is included.
-r (--restrict) Restricts the key for use in e-mail signing only.
The default is to allow the key to be used for any service.
-s selector
(--selector=name) Specifies the selector, or name, of the key
pair generated. The default is "default".
-S (--[no]subdomains) Disallows subdomain signing by this key. By
default the key record will be generated such that verifiers are
told subdomain signing is permitted. Note that for backward
compatibility reasons, -S means the same as --nosubdomains.
-t (--[no]testmode) Indicates the generated key record should be
tagged such that verifiers are aware DKIM is in test at the
signing domain.
-v (--verbose) Increase verbose output.
-V (--version) Print version number and exit.
NOTES
Requires that the openssl(8) binary be installed and in the executing
shell's search path.
VERSION
This man page covers the version of opendkim-genkey that shipped with
version 2.11.0 of OpenDKIM.
COPYRIGHT
Copyright (c) 2007, 2008 Sendmail, Inc. and its suppliers. All rights
reserved.
Copyright (c) 2009, 2011-2013, The Trusted Domain Project. All rights
reserved.
SEE ALSO
opendkim(8), openssl(8)
RFC6376 - DomainKeys Identified Mail
The Trusted Domain Project opendkim-genkey(8)
Generated by dwww version 1.14 on Sat Jun 13 12:10:53 CEST 2026.