The filter(1) man page states:

upas/dkim -d domain -s selector

Dkim Takes a mail message as standard input, and signs a selection of headers and the body of the message. The -d flag specifies the domain, and the -s flag specifies the selector. If the selector is not specified, it defaults to dkim. The keyspec searched for the signing key is:

proto=rsa service=dkim role=sign hash=sha256 domain=$domain

First, we create the dkim key, then load it into factotum:

; ramfs -p ; cd /tmp ; auth/rsagen -b 2048 -t 'service=dkim role=sign hash=sha256 domain=example.com owner=*' > dkim.key ; cat dkim.key > /mnt/factotum/ctl

Next we generate the public key in ASN.1 notation:

pubkey=`{ auth/rsa2asn1 -f spki < dkim.key | \ auth/pemencode DKIMKEY | \ grep -v 'DKIMKEY' | \ ssam 'x/\n/d' }

Next, we add the DNS records to /lib/ndb/local:

domain=example.com ipaddr=198.51.100.2 echo 'dom=dkim._domainkey.'$domain' soa= ip='$ipaddr' refresh=300 ttl=300 ns=ns1.'$domain' txt="k=rsa; t=s; p='$pubkey" \ >> /lib/ndb/local

Replace example.com with your actual domain, and replace 198.51.100.2 with your actual IP address.

Next, in line 4 of /mail/lib/qmail, replace upas/vf with a call to upas/dkim:

ssam '4s_upas/vf_upas/dkim -d example.com_' /mail/lib/qmail

Note that emails must be properly RFC formatted in order for dkim signing to be valid.

This guide was written thanks to ori@eigenstate.org's instructions (https://inbox.vuxu.org/9front/C4455EEBFA462747FC56BA7BB611E5F6@eigenstate.org)

Last modified Wed Feb 18 18:16:32 PST 2026

[ Current version | History | Create a new page ]

About the server |