dknewkey - Man Page

Generates new DKIM public/private key pairs




dknewykey generates new DKIM keys.

For RSA keys, it defaults to 2048 bit key size.  This is controlled by the BITS_REQUIRED variable. ed25519 keys do not have a variable size.

For RSA keys, it uses openssl to do the generation.  By default it assumes this is located at /usr/bin/openssl.  This is controlled by the OPENSSL_BINARY variable.  For ed25519 keys, PyNaCl (python-nacl in Debian and derivatives) is used.  For RSA keys k=sha256 is now included in the public DNS record to prevent inadvertent use with the now obsolete sha1 hash algorithm (See RFC 8301).

Usage [-h] [--ktype {rsa,ed25519}] key_name

mandatory positional arguments:

optional arguments:
 -h, --help            show this help message and exit
 --ktype {rsa,ed25519}
                       DKIM key type: Default is rsa

NOTE: Depending on the packaging and distribution, the exact path and name for the executable may vary.


This version of dknewkey was written by Brandon Long <>. It has been substantially rewritten by Scott Kitterman <>.

This man-page was created by Scott Kitterman <> and is licensed under the same terms as dkimpy.