DomainKeys Public/Private Key-pair Generation


	Other Information
-	News
-	Documentation
-	SourceForge Project Info
-	DomainKeys Implementors mailing list
-	DomainKeys Message Board

	MTAs using DomainKeys
-	Sendmail DomainKey Milter
-	Qmail
-	MS Exchange 2003
-	qpsmtpd
-	Port 25's PowerMTA
-	Etype.net's acSMTP
-	ActivSoftware's XMServer
-	OmniTI Ecelerity
-	StrongMail
-	DRCC no.Spam.java
-	Exim 4.51
-	Alt-N Technologies MDaemon MTA
-	Postfix
-	BorderWare MXtreme
-	Communigate Pro
-	IronPort
-	Merak Mail
-	L-Soft Listserv
-	Mailtraq
-	SocketLabs Hurricane MTA Server

DomainKeys Public/Private Key-pair Generation

Last Updated: July 9, 2005

Command Line Tools Available
	Perhaps the easiest way to generate DomainKeys public/private key-pairs is to use the CPAN command line tools available. The tool can create a key-pair, and format them for DNS publication.
Generating a private-key for the MTA
	For ease of explanation, the openssl command is used throughout this document to describe the mechanism by which keys are managed. One way to generate a 768 bit private-key suitable for DomainKeys, is to use openssl like this: $ openssl genrsa -out rsa.private 768 Which results in the file rsa.private containing the key information similar to this: -----BEGIN RSA PRIVATE KEY----- MIIByQIBAAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5 ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIo AUsFUq+J6+OprwIDAQABAmBOX0UaLdWWusYzNol++nNZ0RLAtr1/LKMX3tk1MkLH +Ug13EzB2RZjjDOWlUOY98yxW9/hX05Uc9V5MPo+q2Lzg8wBtyRLqlORd7pfxYCn Kapi2RPMcR1CxEJdXOkLCFECMQDTO0fzuShRvL8q0m5sitIHlLA/L+0+r9KaSRM/ 3WQrmUpV+fAC3C31XGjhHv2EuAkCMQDE5U2nP2ZWVlSbxOKBqX724amoL7rrkUew ti9TEjfaBndGKF2yYF7/+g53ZowRkfcCME/xOJr58VN17pejSl1T8Icj88wGNHCs FDWGAH4EKNwDSMnfLMG4WMBqd9rzYpkvGQIwLhAHDq2CX4hq2tZAt1zT2yYH7tTb weiHAQxeHe0RK+x/UuZ2pRhuoSv63mwbMLEZAjAP2vy6Yn+f9SKw2mKuj1zLjEhG 6ppw+nKD50ncnPoP322UMxVNG4Eah0GYJ4DLP0U= -----END RSA PRIVATE KEY----- This private key will be inserted into your DomainKeys-enabled MTA. Your MTA or plugin should provide instructions on how to do so.
Generating the public-key for the DNS selector record
	To extract the public-key component from the private-key, use openssl like this: $ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM Which results in the file rsa.public containing the key information similar to this: -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB -----END PUBLIC KEY----- This public-key data is placed in the selector's DNS record as the value of p. Thus, a selector's record may look like: k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB;