Provided by: opendkim-tools_2.11.0~beta2-7_amd64 bug


       opendkim-genkey - DKIM filter key generation tool


       opendkim-genkey [options]


       opendkim-genkey generates (1) a private key for signing messages using opendkim(8) and (2)
       a DNS TXT record suitable for inclusion in a zone file which publishes the matching public
       key for use by remote DKIM verifiers.

       The  filenames of these are based on the selector (see below); the private key will have a
       suffix of ".private" and the TXT record will have a suffix of ".txt".

       Both long and short names are supported for most options.


       -a     (--append-domain) Appends the domain name (see  -d  below)  to  the  label  in  the
              generated  TXT record, followed by a trailing period.  By default it is assumed the
              domain name is implicit from the context of the zone file,  and  is  therefore  not
              included in the output.

       -b bits
              (--bits=n)  Specifies  the size of the key, in bits, to be generated.  The upstream
              default is 1024 which is the value recommended by the DKIM  specification,  but  in
              Debian the default is 2048 based on more current recommendations such as those from
              NIST 800-177.

       -d domain
              (--domain=string) Names the domain which will use this key for signing.   Currently
              only used in a comment in the TXT record file.  The default is "localhost".

       -D directory
              (--directory=path)  Instructs  the  tool  to change to the named directory prior to
              creating files.  By default the current directory is used.

       -h algorithms
              (--hash-algorithms=name[:name[...]])  Specifies a list of hash algorithms which can
              be  used  with this key.  Upstream, by default all hash algorithms are allowed, but
              in Debian this is restricted to sha256 based on NIST 800-177.

       --help Print a help message and exit.

       -n note
              (--note=string) Includes arbitrary note text in the key  record.   By  default,  no
              such text is included.

       -r     (--restrict)  Restricts  the key for use in e-mail signing only.  The default is to
              allow the key to be used for any service.

       -s selector
              (--selector=name) Specifies the selector, or name, of the key pair generated.   The
              default is "default".

       -S     (--[no]subdomains)  Disallows  subdomain  signing  by this key.  By default the key
              record will be  generated  such  that  verifiers  are  told  subdomain  signing  is
              permitted.   Note  that  for  backward  compatibility reasons, -S means the same as

       -t     (--[no]testmode) Indicates the generated key record  should  be  tagged  such  that
              verifiers are aware DKIM is in test at the signing domain.

       -v     (--verbose) Increase verbose output.

       -V     (--version) Print version number and exit.


       Requires that the openssl(8) binary be installed and in the executing shell's search path.


       This  man  page  covers the version of opendkim-genkey that shipped with version 2.11.0 of


       Copyright (c) 2007, 2008 Sendmail, Inc. and its suppliers.  All rights reserved.

       Copyright (c) 2009, 2011-2013, The Trusted Domain Project.  All rights reserved.


       opendkim(8), openssl(8)

       RFC6376 - DomainKeys Identified Mail

                                    The Trusted Domain Project                 opendkim-genkey(8)