NAME

       filter-dkimsign - add dkim signature to messages

SYNOPSIS

       filter-dkimsign [-tz] [-a algorithm] [-c canonicalization] [-h headers] [-x seconds]
                       -d domain -k file -s selector

DESCRIPTION

       filter-dkimsign adds a dkim signature to the message.  The following flags are supported:

       -a algorithm
               The algorithm to use.  Supported signing algorithms are rsa and ed25519 (when
               enabled at compile time).  Only sha256 should be used for hashing, since other
               algorithms are most likely not supported by verifiers.  Defaults to rsa-sha256.

       -c canonicalization
               The canonicalization algorithm used to sign the message.  Defaults to
               simple/simple.

       -d domain
               The domain where the public key can be found.  This option can be specified
               multiple times to select the best domain during signing.  If specified multiple
               times it looks at the domain component of the first mailbox in the from-header and
               tries to find a match.  If no exact match can be found it looks for the closest
               parent domain.  If no matches can be the first domain specified will be used.

       -h headers
               The email headers which are included in the mail signature.  Per RFC this option
               requires at least the from header to be included.  The headers are specified by
               separating them with a colon.  The default is from:reply-
               to:subject:date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-
               to:references:list-id:list-help:list-unsubscribe:list-subscribe:list-post:list-
               owner:list-archive.

       -k file file should point to a file containing the RSA private key to sign the messages.

       -s selector
               The selector within the _domainkey subdomain of domain where the public key can be
               found.

       -t      Add the time of signing to the dkim header.

       -x seconds
               Add the amount of seconds the signature is valid to the dkim header.

       -z      Add the mail headers used in the dkim signature to the dkim header.  If a second
               -z is specified all headers will be included in the dkim header.  Useful for
               debugging purposes.

SEE ALSO

       smtpd(8)

STANDARDS

       D. Crocker, Ed., T. Hansen, Ed., and M. Kucherawy, Ed., DomainKeys Identified Mail (DKIM)
       Signatures, RFC 6376, Brandenburg InternetWorking, AT&T Laboratories, and Cloudmark,
       September 2011.

       J. Levine, A New Cryptographic Signature Method for DomainKeys Identified Mail, RFC 8463,
       Taughannock Networks, September 2018.

AUTHORS

       Martijn van Duren <martijn@openbsd.org>