PhoenixDKIM

A security-focused DKIM signing and verification milter.

This page documents PhoenixDKIM, a maintained fork of OpenDKIM. Options may differ from the original.

NAME

phoenixdkim-genkey - DKIM filter key generation tool

SYNOPSIS

phoenixdkim-genkey [options]

DESCRIPTION

phoenixdkim-genkey generates (1) a private key for signing messages using phoenixdkim(8) and (2) a DNS TXT record suitable for inclusion in a zone file which publishes the matching public key for use by remote DKIM verifiers.

The filenames are based on the selector (see -s below); the private key will have a suffix of ".private" and the TXT record will have a suffix of ".txt".

After the key is generated the SHA-256 fingerprint of the public key is printed to standard output and recorded as a comment at the top of the ".txt" file. This is the SPKI fingerprint (the SHA-256 digest of the DER-encoded SubjectPublicKeyInfo, base64-encoded and prefixed with "SHA256:"), the same value reported by ssh-keygen -l . It allows the published DNS record to be cross-checked against the key that was generated without decoding the base64 "p=" value by hand.

Both long and short names are supported for most options.

OPTIONS

-a

(--append-domain) Appends the domain name (see -d below) to the label in the generated TXT record, followed by a trailing period. By default it is assumed the domain name is implicit from the context of the zone file, and is therefore not included in the output.

-b bits

(--bits=n) Specifies the size of the RSA key to be generated, in bits. Ignored when generating Ed25519 keys. The minimum accepted value is 2048. The default is 2048. Use 4096 for new deployments.

-d domain

(--domain=string) Names the domain which will use this key for signing. Used in a comment in the TXT record file.

-D directory

(--directory=path) Instructs the tool to change to the named directory prior to creating files. By default the current directory is used.

-h algorithms

(--hash-algorithms=name[:name[...]]) Specifies a list of hash algorithms which can be used with this key. By default all hash algorithms are allowed.

--help

Print a help message and exit.

-n note

(--note=string) Includes arbitrary note text in the key record. By default, no such text is included.

-r

(--restrict) Restricts the key for use in e-mail signing only. The default is to allow the key to be used for any service.

-s selector

(--selector=name) Specifies the selector, or name, of the key pair generated. The default is "default".

-S

(--[no]subdomains) Disallows subdomain signing by this key. By default the key record will be generated such that verifiers are told subdomain signing is permitted.

-t

(--[no]testmode) Indicates the generated key record should be tagged such that verifiers are aware DKIM is in test at the signing domain.

--type=algorithm

Specifies the key type to generate. Supported values are rsa (default) and ed25519 (per RFC 8463). When generating an Ed25519 key the -b (bits) option is ignored; Ed25519 keys are always 256 bits.

Note: there is no short form for this option. -t is already used by --testmode.

-v

(--verbose) Increase verbose output.

-V

(--version) Print version number and exit.

VERSION

This man page covers the version of phoenixdkim-genkey that shipped with version 1.0.0 of PhoenixDKIM.

COPYRIGHT

Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers.
Copyright (c) 2009-2015, The Trusted Domain Project.
Copyright (c) 2026, PhoenixDKIM contributors.
All rights reserved.

SEE ALSO

phoenixdkim(8), phoenixdkim-testkey(8), phoenixdkim-genzone(8), phoenixdkim.conf(5)

RFC 6376 - DomainKeys Identified Mail

RFC 8463 - A New Cryptographic Signature Method for DomainKeys Identified Mail (Ed25519)

This document was generated from the PhoenixDKIM 1.0.0 manual pages using groff.
Time: Thu Jun 4 22:15:06 2026