Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  DKIMPROXY_OUT (8)

.ds Aq ’


dkimproxy.out - SMTP proxy for adding DKIM signatures to email



  dkimproxy.out [options] --keyfile=FILENAME --selector=SELECTOR \
    smtp options:

    signing options:

    daemon options:

  dkimproxy.out --help
    to see a full description of the various options


This is the outbound part of DKIMproxy, used for adding DKIM/DomainKey signatures to outbound email messages. This program listens on a particular TCP port (specified by the listen option), and sends the traffic it receives on to a destination TCP address/port (specified by the relay option), with messages getting modified to have a DKIM and/or DomainKeys signature added.

DKIMproxy offers a number of options that determine how it generates signatures for the messages it processes. It can also vary its behavior according to the sender of the message it is processing. Read about the sender map file if you want to vary behavior according to sender.


--daemonize If specified, the server will run in the background.
--domain=DOMAIN This argument serves two purposes. First, it selects which messages (of all those DKIMproxy sees) that should be signed. Second, it specifies what d= value to put in the generated signatures.

You can specify multiple domains by separating them with commas. If only one domain is specified, DKIMproxy will sign ALL messages, and it will use the specified domain as the d= value of all generated signatures.

If two or more domains are specified, DKIMproxy will only sign messages which have a sender matching one of these domains. It will use the matched domain as the d= value of the generated signature.

Please note that the d= value of the generated signature can also be specified using signature options (see "SIGNATURE OPTIONS). The signature options will override the value specified here."

Therefore, if you want to sign all messages, and you are specifying a d= value as part of the signature argument, or within a sender map file or list-id map file, you can omit the domain argument.

--group=GROUP If specified, the daemonized process will setgid() to the specified GROUP.
--identity=IDENTITY If specified, any DKIM signature created will have an i= argument containing the value specified.
--keyfile=FILENAME This is a required argument. Use it to specify the filename containing the private key used in signing outgoing messages. For messages to verify, you will need to publish the corresponding public key in DNS, using the selector name specified by --selector, under the domain(s) specified in --domain.
--listid_map=FILENAME If specified, the named file provides signature parameters depending on the List-Id header found in the message. Use this if your mail server sends out mailing list messages and you want to generate different signatures depending on which mailing list is sending messages. See the section below titled LIST-ID MAP FILE.
--method=simple|relaxed|nofws This option specifies the canonicalization algorithm to use for signing messages. For DKIM signatures, the options are simple, relaxed, and relaxed/relaxed; the default is relaxed. For DomainKeys signatures, the options are simple and nofws; the default is nofws.
--pidfile=PIDFILE Creates a PID file (a file containing the PID of the process) for the daemonized process. This makes it possible to check the status of the process, and to cleanly shut it down.
--reject-error This option specifies what to do if an error occurs during signing of a message. If this option is specified, the message will be rejected with an SMTP error code. This will result in the MTA sending the message to try again later, or bounce it back to the sender (depending on the exact error code used). If this option is not specified, the message will be allowed to pass through without having a signature added.

The most common cause of an error when signing a message is if the signature options are improperly configured.

--selector=SELECTOR This is a required argument. Use it to specify the name of the key selector.
--sender_map=FILENAME If specified, the named file provides signature parameters depending on what sender is found in the message. See the section below titled SENDER MAP FILE.
--signature=dkim|domainkeys This specifies what type of signature to add. Use dkim to sign with IETF-standardized DKIM signatures. Use domainkeys to sign with the older, but more common, Yahoo! DomainKeys signatures. The default is dkim.

This parameter can be specified more than once to add more than one signature to the message. In addition, per-signature parameters can be specified by enclosing the comma-separated options in parenthesis after the signature type, e.g.


The syntax for specifying per-signature options is described in more detail in the section below titled SIGNATURE OPTIONS.

--user=USER If specified, the daemonized process will setuid() to USER after completing any necessary privileged operations, but before accepting connections.


For example, if dkimproxy.out is started with:

  dkimproxy.out --keyfile=private.key --selector=postfix \

the proxy will listen on port 10027 and send the signed messages to some other SMTP service on port 10028.


Parameters can be stored in a separate file instead of specifying them all on the command-line. Use the conf_file option to specify the path to the configuration file, e.g.

  dkimproxy.out --conf_file=/etc/dkimproxy_out.conf

The format of the configuration file is one option per line: name of the option, space, then the value of the option. E.g.

  # this is an example config file
  keyfile private.key
  selector postfix
  signature dkim

is equivalent to

  dkimproxy.out, --keyfile=private.key \
                --selector=postfix --signature=dkim


When specifying a signature type, you may optionally specify per-signature options within parenthesis after the signature type. E.g. if you say


Then DKIMproxy will add a DKIM signature with domain, using the relaxed canonicalization method, and the rsa-sha1 algorithm.

The following signature options are recognized:
key the private key file to use. You must specify the full path to the private key file.
a, algorithm the algorithm to use
c, method the canonicalization method to use
d, domain the domain to use, default is to use whichever domain was matched (i.e. one of the domains specified in the --domain argument, or the domain found in the sender map file.)

You may also use macros for this parameter, such as $senderdomain. See the section on MACROS for more information.

i, identity the identity to use, default is to not include an i= parameter.

You may also use macros for this parameter, such as $sender. See the section on MACROS for more information.

s, selector the selector to use


When specifying signature options, specifically the domain and identity options, you may want to substitute values from the message being signed. The following macros are available:
$sender Substitutes the sender’s email address (as found in the Sender or From header).
$senderdomain Substitutes the domain part of the sender’s email address.


If you want to use different signature properties depending on the sender of the message being signed, use a sender map file. This is a lookup file containing sender email addresses on the left and signature properties on the right. E.g.

  # sign my mail with a EXAMPLE.COM dkim signature  dkim(

  # sign WIDGET.EXAMPLE mail with a default domainkeys signature
  widget.example   domainkeys

  # sign EXAMPLE.ORG mail with both a domainkeys and dkim signature      dkim(c=relaxed,a=rsa-sha256), domainkeys(c=nofws)

Right-hand values in a sender map file is a comma-separated list of signature types. Each signature type may have a comma-separated list of parameters enclosed in parenthesis. See SIGNATURE OPTIONS for more information about the recognized parameters.

Please note that DKIMproxy tries hard to match a given message to an entry in the sender map file. If the full domain of the message’s sender is not in the file, it tries each parent domain of the message’s sender until a match is found. E.g. if the sender map file contains the following contents:     dkim(key=key1)
  my.example       dkim(key=key2)

Then a message from will be signed with key key1. A message from will be signed with key2. A message from user3@your.example will not be signed.


This works very much like a sender map file, except it selects based on the List-Id header rather than the Sender or From header. You can match on the full list-id value, or just a suffix. Here is an example file:                   dkim(       dkim(  dkim(

The syntax of the right-hand values is the same as a sender map file, i.e. a comma-separated list of signatures to add to the message. For more details, see SIGNATURE OPTIONS above.

If no List-Id header is found in the message to be signed, or no entry in the map file matches the found List-Id header, then DKIMproxy will proceed as if no listid_map option was specified. That is, it will add the default signature (if a domain or signature option was specified), or leave the message as is.


Jason Long


Hey! The above document had some coding errors, which are explained below:
Around line 715: Unterminated L<...> sequence
Search for    or go to Top of page |  Section 8 |  Main Index

perl v5.10.1 DKIMPROXY.OUT (1) 2010-11-15

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.