PhoenixDKIM

A security-focused DKIM signing and verification milter.


This page documents PhoenixDKIM, a maintained fork of OpenDKIM. Options may differ from the original.

NAME

phoenixdkim-testkey - DKIM filter installation test

SYNOPSIS

phoenixdkim-testkey [-d domain] [-s selector] [-k keypath] [-v] [-x configfile]

DESCRIPTION

phoenixdkim-testkey verifies the setup of signing and verifying (private and public) keys for use with phoenixdkim(8).

The test program will read a domain name and selector from the command line, configuration file or a key table, then query and parse the resulting DKIM key(s), reporting any errors found.

If a key path is also provided, the test program will read the private key named and attempt to confirm that the private key specified by keypath (or in the key table) and the public DKIM key retrieved from DNS match.

BATCH (WHOLE KEYTABLE) MODE

When a KeyTable is configured and none of -d, -s or -k is given on the command line, every entry in the key table is tested in turn rather than a single domain/selector pair. Each key is checked exactly as in single-key mode (its public record is retrieved and, where a key file is named, compared against the private key). With -v a one-line summary reporting the number of keys checked and the pass and fail counts is printed at the end.

The exit status summarises the batch: it is EX_OK (0) only if every key passed, and EX_DATAERR (65) if any key failed. This makes the whole-table run suitable for deployment verification and cron-driven monitoring without having to loop over domains externally.

OPTIONS

-d domain

Names the domain in which signing is to be done. More specifically, names the domain in which the public key matching the provided private key will be found. This parameter must be provided either explicitly, in the configuration file, or via a KeyTable (see phoenixdkim.conf(5) for details).

-k keypath

Specifies the path to the private key file which should be used for this test. This parameter is optional.

-s selector

Names the selector within the specified domain whose public key should be retrieved and tested, comparing it to the private key if provided. This parameter must be provided either explicitly, in the configuration file, or via a KeyTable (see phoenixdkim.conf(5) for details).

-v

Increases verbosity. May be specified multiple times.

-x conffile

Names a configuration file to be parsed. See phoenixdkim.conf(5) for details. The values used are Domain, Selector, KeyFile, KeyTable, TrustAnchorFile and ResolverConfig. The default is /etc/phoenixdkim/phoenixdkim.conf.

NOTES

The test program will also complain if a private key file is readable by anyone other than the user executing the program.

Both RSA and Ed25519 private keys are supported.

VERSION

This man page covers the version of phoenixdkim-testkey that shipped with version 1.0.0 of PhoenixDKIM.

COPYRIGHT

Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers.
Copyright (c) 2009-2015, The Trusted Domain Project.
Copyright (c) 2026, PhoenixDKIM contributors.
All rights reserved.

SEE ALSO

phoenixdkim(8), phoenixdkim-genkey(8), phoenixdkim.conf(5)

RFC 6376 - DomainKeys Identified Mail

RFC 8463 - A New Cryptographic Signature Method for DomainKeys Identified Mail (Ed25519)


This document was generated from the PhoenixDKIM 1.0.0 manual pages using groff.
Time: Thu Jun 4 22:15:06 2026