s/qmail:

Section: Misc. Reference Manual Pages (qmail-dkim)
Updated: 8
Index Return to Main Contents

NAME

qmail-dkim - libdkim implementation for s/qmail

SYNOPSIS

qmail-dkim [ -h -v -V -s[ecckey] -b[1|2|3] -c[s|t|u] -d domain -i identity -l -q -t -x expire_time -y selector -Y selector2 -z[1|2|3|4|5] ] in_message RSA_private_key out_message Ed25519_private_key

DESCRIPTION

qmail-dkim is the implementation of libdkim for s/qmail providing API compatibility and supporting RSA and Ed25519 DKIM signatures in single or hybrid mode. In hybrid mode, two private keys and two selectors need to be provided. qmail-dkim supports distinct operations:

qmail-dkim -s in_message RSA_private_key out_message: DKIM signes in_message with the given private_key and returns out_message.
qmail-dkim -s in_message RSA_private_key out_message Ed255_private_key: signs in_message with both a RSA RSA_private_key and a Ed25519_private_key. Here, the RSA default selector is default and the Ed25519 default selector is eddy; both subject of change.
qmail-dkim -v in_message: verifies the in_message.

DKIM FORMATS

DKIM needs a common understanding of the attributes subject for signing and verification. The following attributes can be set:

-c: is the 'canonicalization', thus how a validiation client should deal with signature verification of the message headers and/or body. Here, the choices are given via an appended character: r relax on header, s simple (strict) on message body, t relax/simple, or eventually u simple relaxed. Finally, the hash function to be used in the signature can be given as
-z: following either with 1 using sha1, or 2 using sha256, or finally as default 3 providing both signature values in the mail header. 4 telling qmail-dkim to use the Ed25519 signature scheme. 5 allows qmail-dkim to attach both a RSA-SHA256 as well as a Ed25519 signature to the message, which considered to be a hybrid mode.

DKIM SIGNING

qmail-dkim will include (several) message headers detailing the DKIM signature with at least the following fields:

a: =<signature type>
c: =<used canoncicalization>
s: =<selector>
d: =<identity>
i: =<identifier>
h: =<included header1:header2:...>
bh: =<hash of the canonicalized body until its upper limit length; if given>
b: =<base64 encoded signature>

Additional settings can be achieved using the following options:

-d domain: is the signer's domain name and together with the prepended
-y selector: it is used for the DNS TXT lookup of the public key; supporting mainly key roll-over. The first selector is used for RSA signatures.
-Y selector2: Same as -y but now for Ed25519 signatures.
-I identifier: giving an additional hint about the agent or identifier responsible for the signing like 'postmaster@domain'; defaults to domain.
-t expire_time: given in seconds, tells how log the signature is valid. It defaults to 604800 secconds (seven days).

Further, some more option fields can be displayed in the header:

-l: include a body length tag.
-q: include the query method tag.

DKIM VERIFICATION

qmail-dkim as invoked by qmail-dkverify extracting the received DKIM header fields, and following the signature verification procedure as given here, while fetching the signer's public key using a DNS TXT lookup. Now, the respective header lines, and/or the message body will be hashed and compared against the values taken from the signatures.

The results will be indicated by either return code 0 in case of success, 1 in case of mismatch, or -1 if other failures were encountered.

Given the call argument

-v: qmail-dkim will provide the DKIM results pass or fail including verbose reasons on the commmand line. This is the legacy mode.
Rather, invoking qmail-dkim with argument
-V: it communicates the results over a file interface to be picked up by qmail-dkverify.

This document was created by man2html, using the manual pages.
Time: 16:40:05 GMT, September 13, 2025