Skip to content


Manvendra Bhangui edited this page May 7, 2023 · 9 revisions


dknewkey - create a new domain key


dknewkey [-t type] [-d domain | --domain domain] [-b | --bits bits] [-f | --force] [-e | --enforce] selector


dknewkey [-p | --print] [-d domain | --domain domain] [selector]


dknewkey [-r | --remove] [-d domain | --domain domain] selector


dknewkey generates new DKIM keys and prints the associated DNS record (public key) on stdout. For RSA keys, it defaults to 2048 bit key size. This is controlled by the bits variable. ed25519 keys do not have a variable size. For RSA keys k=sha256 is now included in the public DNS record to prevent inadvertent use with the now obsolete sha1 hash algorithm (See RFC 8301).

selector is the file which will hold the private key. Additionally containing the public key will be created. bits is the number of bits in the key. If not specified, defaults to 1024. To implement domainkeys you can use envrules in qmail-smtpd or spawn-filter to set the DKSIGN, DKIMSIGN variable to the path of the signature file holding the private key.

dknewkey uses the following openssl command to generate the private/public keys

  • openssl -genrsa -out selector bits # for RSA

  • openssl genpkey -algorithm Ed25519 -out selector # for Ed25519

  • openssl rsa -in selector -out -pubout -outform PEM


-p | --print
print DKIM public key for selector selector, domain domain. If selector is not provided, all selectors will be printed. If domain is not provided, all selectors for all domains will be printed.

-r | --remove
remove DKIM keys for selector selector, domain domain

-t type | --type type
Key type to use for cryptography method. Valid values are rsa and ed25519. Defaults to rsa.

-d domain | --domain domain
domain name for the DKIM key. The private key selector, public key will be created in the directory /etc/indimail/control/domainkeys/domain.

If this is not specified, the private key selector, public key will be created in the directory /etc/indimail/control/domainkeys.

-b | --bits keysize
Specify the key size for the DKIM record. Default is 1024

-f | --force
Force creation of DKIM key even if it exists. Without this, dknewkey will not overwrite an existing DKIM key

-e | --enforce
Create a production key. This will not have the t=y in the selector record


qmail-dkim(8), qmail-smtpd(8), qmail-queue(8), spawn-filter(8), dkim(8), openssl(1)

Clone this wiki locally