s/qmail:

Section: Misc. Reference Manual Pages (qmail-dkim)
Updated: 8
Index Return to Main Contents
 

NAME

qmail-dkim - libdkim implementation for s/qmail  

SYNOPSIS

qmail-dkim [ -h -v -V -s[ecckey] -b[1|2|3] -c[s|t|u] -d domain -i identity -l -q -t -x expire_time -y selector -Y selector2 -z[1|2|3|4|5] ] in_message RSA_private_key out_message Ed25519_private_key  

DESCRIPTION

qmail-dkim is the implementation of libdkim for s/qmail providing API compatibility and supporting RSA and Ed25519 DKIM signatures in single or hybrid mode. In hybrid mode, two private keys and two selectors need to be provided. qmail-dkim supports distinct operations:
qmail-dkim -s in_message RSA_private_key out_message
DKIM signes in_message with the given private_key and returns out_message.
qmail-dkim -s in_message RSA_private_key out_message Ed255_private_key
signs in_message with both a RSA RSA_private_key and a Ed25519_private_key. Here, the RSA default selector is default and the Ed25519 default selector is eddy; both subject of change.
qmail-dkim -v in_message
verifies the in_message.
 

DKIM FORMATS

DKIM needs a common understanding of the attributes subject for signing and verification. The following attributes can be set:
-c
is the 'canonicalization', thus how a validiation client should deal with signature verification of the message headers and/or body. Here, the choices are given via an appended character: r relax on header, s simple (strict) on message body, t relax/simple, or eventually u simple relaxed. Finally, the hash function to be used in the signature can be given as
-z
following either with 1 using sha1, or 2 using sha256, or finally as default 3 providing both signature values in the mail header. 4 telling qmail-dkim to use the Ed25519 signature scheme. 5 allows qmail-dkim to attach both a RSA-SHA256 as well as a Ed25519 signature to the message, which considered to be a hybrid mode.

 

DKIM SIGNING

qmail-dkim will include (several) message headers detailing the DKIM signature with at least the following fields:
a
=<signature type>
c
=<used canoncicalization>
s
=<selector>
d
=<identity>
i
=<identifier>
h
=<included header1:header2:...>
bh
=<hash of the canonicalized body until its upper limit length; if given>
b
=<base64 encoded signature>

Additional settings can be achieved using the following options:

-d domain
is the signer's domain name and together with the prepended
-y selector
it is used for the DNS TXT lookup of the public key; supporting mainly key roll-over. The first selector is used for RSA signatures.
-Y selector2
Same as -y but now for Ed25519 signatures.
-I identifier
giving an additional hint about the agent or identifier responsible for the signing like 'postmaster@domain'; defaults to domain.
-t expire_time
given in seconds, tells how log the signature is valid. It defaults to 604800 secconds (seven days).

Further, some more option fields can be displayed in the header:

-l
include a body length tag.
-q
include the query method tag.

 

DKIM VERIFICATION

qmail-dkim as invoked by qmail-dkverify extracting the received DKIM header fields, and following the signature verification procedure as given here, while fetching the signer's public key using a DNS TXT lookup. Now, the respective header lines, and/or the message body will be hashed and compared against the values taken from the signatures.

The results will be indicated by either return code 0 in case of success, 1 in case of mismatch, or -1 if other failures were encountered.

Given the call argument

-v
qmail-dkim will provide the DKIM results pass or fail including verbose reasons on the commmand line. This is the legacy mode.

Rather, invoking qmail-dkim with argument

-V
it communicates the results over a file interface to be picked up by qmail-dkverify.

 

SEE ALSO

qmail-queue(8), qmail-remote(8), qmail-dksign(8), qmail-dkverify(8), qmail-send(8), qmail-log(5).


 

Index

NAME
SYNOPSIS
DESCRIPTION
DKIM FORMATS
DKIM SIGNING
DKIM VERIFICATION
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 16:40:05 GMT, September 13, 2025