Information describing the creation of DKIM keys and the configuration of DNS to enable DKIM signing is found at the DKIM website.  Please see http://www.dkim.org/#specifications for the official DKIM documentation.

12.1.1 Creating a DKIM Key Pair


It is quite simple to create a DKIM key pair.  There are websites where you can enter the basic information (selector and domain name) and the website will generate the key pair for you.  However, it is questionable whether such sites will actually guarantee the confidentiality of the public keys they generate, so this may or may not be the best route for your site.

The simplest way to generate a DKIM key pair is to log into a unix machine that has OpenSSL installed, and issue the following commands in a terminal window.

Important: Please determine what version of OpenSSL you are using before creating your keys.  This can be done by issuing the command


openssl version


at an operating system shell prompt.  


If your OpenSSL version is 1.x:

$ openssl genrsa -out rsa.private 1024


$ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM


If your OpenSSL version is 3.x:

$ openssl genrsa -out rsa.private -traditional 1024


$ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM


       

In either case, running these commands should result in two files being created:  rsa.private and rsa.public.  The private key will be a PKCS#1 private key which starts with 

-----BEGIN RSA PRIVATE KEY-----


and ends with 

-----END RSA PRIVATE KEY-----

Important: If your keys start with "BEGIN PRIVATE KEY" and end with "END PRIVATE KEY" (that is, with no "RSA") then you have generated PKCS#8 keys which LISTSERV cannot use and which will throw an error when LISTSERV attempts to read them.  This is due to creating the keys using OpenSSL 3.x without the 
"-traditional" flag as documented above.

Note that you cannot simply edit the banners to fix this.  PKCS#8 keys will have to be regenerated from scratch as PKCS#1 "traditional" keys.


The rsa.private file contains your private key, which will be used below to create the DKIM file for LISTSERV; the rsa.public file contains the corresponding public key, which will be used to create the DNS TXT record you need for DKIM.