LISTSERV’s DKIM support is configured by doing two things. 

    1. Supply one or more private keys. 

Each private key is stored as a text file in LISTSERV’s main or home directory (that is, the directory where the *.list files are) and must be named xxx.dkim, where xxx is the arbitrary name you choose to give the key. If you only use one key, it is recommended to name it default.dkim.

The file is created in the usual openssl/RSA format, with one minor modification. Here is an example (not a real key, don't use it):

d=listserv.example.com; s=default
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDcARWuStG7G33L+M5jqjiCbhfKBlgxIMC8Of5OQaM00v83IRuk
jSq4pPvAhsHKSCacVCHp91O1RigBB/C+UXzPO+N1+hZ55ZXS8MPGPgaV9VM1EysE
dyfm2Y/rn935GGJwtm67fz+6dyKkCAzLsMjR5DvcxxlMzf6Gs9TrX7PBNwIDAQAB
AoGBALY1V8WARe+XNzqlmBnHMwIjOCSj2Irnu3io90vM5OStE56PFxvTptxCGBc+
BGYKF6BFtcjWhEeQETW5Y9PcHWbj3O2OSrhk9sPQHZCW46J0IVpP0vRHyrK4o+zX
CbHkFEJZFSBN2IquUR5m9Yqb5dqQPRf/7lGAQpVrd03wiX4RAkEA8jRE3CFfh7I5
idx1q2ohBEh2rPHioDONOTUSETHISKEYITISANEXAMPLEONLYPhcwoDjQQ/EqIUS
wezkWNX2zQJBAOiJGr7tzHY2Cg4ftfl1DJYXNkRtsR4ZoVsgcjhPVTLScfG7nOFL
pMCKE5ChYFkbYmh5knhOsYrZgBqPDxe8MBMCQFY3dv+pPZlPPx4tBRIUwFYG+X/M
xvGpwDhMaYIm5fmlwBLCBnHt8Z+kEGVwKbabVUkcLHUmYjOe0zOHAS4CVE0CQHSA
9MCCHfV//6ux4Zd5OHQebxb7qki9aKVibTefL72FyIbni6MpJgM9aq4E3GPon3Ze
qq7SJou9izxDPrmSlLcCQBG0OYhOQWank6kWaziTY/K93vGyHQOqUM425iLQdWWu
DHj08akKRILiTXhUYgQA9/fE/ncalK4ChvsVG0bqXZ0=
-----END RSA PRIVATE KEY-----


The first line in the file must include a specification for the ‘d=’ and ‘s=’ parameters of the DomainKeys signature (in whatever order, as long as they are both there). Per the DKIM documentation, these variables specify the domain for which you are signing (“d=”) and the “selector” that is used to form the query for the public key (“s=”). For instance, let’s say that your public key is registered as follows in the DNS:

default._domainkey.listserv.example.com IN TXT “g=; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcARWuStG7G33L+M5jqjiCbhfKBlgxIMC8Of5ODONOTUSETHISKEYITISANEXAMPLEONLY91O1RigBB/C+UXzPO+N1+hZ55ZXS8MPGPgaV9VM1EysEdyfm2Y/rn935GGJwtm67fz+6dyKkCAzLsMjR5DvcxxlMzf6Gs9TrX7PBNwIDAQAB”


The selector is “default” and the domain is “listserv.example.com”.

Important: Again, please remember that the public and private keys in these examples are purposefully invalid and cannot be used to create a live DKIM configuration for LISTSERV.


    1. Supply a DKIM_SIGN Configuration Variable

In your site configuration file, add a DKIM_SIGN= variable containing a blank-separated list of domains that you are able and willing to sign for. You can use wildcards, but only of the form ‘*.EXAMPLE.COM’. You can’t use, for instance, ‘SALES.EXAMPLE.*’. For each entry in the list, specify the key to be used, as follows:

DKIM_SIGN=EXAMPLE.COM *.EXAMPLE.COM EXAMPLE.CA(CA) *.EXAMPLE.CA(CA)


In the example we have been using above, our DKIM_SIGN variable would be

DKIM_SIGN=LISTSERV.EXAMPLE.COM


(Under unix, don’t forget to export DKIM_SIGN .)

By default, the key called DEFAULT is used (if one exists). So, in the sample above, the key for EXAMPLE.COM will be fetched from DEFAULT.DKIM whereas the key for EXAMPLE.CA will come out of CA.DKIM.