opendkim-genkey - Man Page

DKIM filter key generation tool


opendkim-genkey [options]


opendkim-genkey generates (1) a private key for signing messages using opendkim(8) and (2) a DNS TXT record suitable for inclusion in a zone file which publishes the matching public key for use by remote DKIM verifiers.

The filenames of these are based on the selector (see below); the private key will have a suffix of ".private" and the TXT record will have a suffix of ".txt".

Both long and short names are supported for most options.



(--append-domain) Appends the domain name (see -d below) to the label in the generated TXT record, followed by a trailing period.  By default it is assumed the domain name is implicit from the context of the zone file, and is therefore not included in the output.

-b bits

(--bits=n) Specifies the size of the key, in bits, to be generated.  The default is 1024 which is the value recommended by the DKIM specification.

-d domain

(--domain=string) Names the domain which will use this key for signing.  Currently only used in a comment in the TXT record file.  The default is "".

-D directory

(--directory=path) Instructs the tool to change to the named directory prior to creating files.  By default the current directory is used.

-h algorithms

(--hash-algorithms=name[:name[...]]) Specifies a list of hash algorithms which can be used with this key.  By default all hash algorithms are allowed.


Print a help message and exit.

-n note

(--note=string) Includes arbitrary note text in the key record.  By default, no such text is included.


(--restricted) Restricts the key for use in e-mail signing only.  The default is to allow the key to be used for any service.

-s selector

(--selector=name) Specifies the selector, or name, of the key pair generated.  The default is "default".


(--[no]subdomains) Disallows subdomain signing by this key.  By default the key record will be generated such that verifiers are told subdomain signing is permitted.  Note that for backward compatibility reasons, -S means the same as --nosubdomains.


(--[no]testmode) Indicates the generated key record should be tagged such that verifiers are aware DKIM is in test at the signing domain.


(--verbose) Increase verbose output.


(--version) Print version number and exit.


Requires that the openssl(8) binary be installed and in the executing shell's search path.


This man page covers the version of opendkim-genkey that shipped with version 2.11.0 of OpenDKIM.

See Also

opendkim(8), openssl(8)

RFC6376 - DomainKeys Identified Mail


The Trusted Domain Project