LISTSERV’s DKIM support is configured by doing two things.

    1. Supply one or more private keys.

Each private key is stored as a text file in LISTSERV’s main or home directory (that is, the directory where the *.list files are) and must be named xxx.dkim, where xxx is the arbitrary name you choose to give the key. If you only use one key, it is recommended to name it default.dkim.

The file is created in the usual openssl/RSA format, with one minor modification. Here is an example (not a real key, don't use it):

d=listserv.example.com; s=default
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDcARWuStG7G33L+M5jqjiCbhfKBlgxIMC8Of5OQaM00v83IR uk
jSq4pPvAhsHKSCacVCHp91O1RigBB/C+UXzPO+N1+hZ55ZXS8MPGPgaV9VM1Ey sE
dyfm2Y/rn935GGJwtm67fz+6dyKkCAzLsMjR5DvcxxlMzf6Gs9TrX7PBNwIDAQ AB
AoGBALY1V8WARe+XNzqlmBnHMwIjOCSj2Irnu3io90vM5OStE56PFxvTptxCGB c+
BGYKF6BFtcjWhEeQETW5Y9PcHWbj3O2OSrhk9sPQHZCW46J0IVpP0vRHyrK4o+ zX
CbHkFEJZFSBN2IquUR5m9Yqb5dqQPRf/7lGAQpVrd03wiX4RAkEA8jRE3CFfh7 I5
idx1q2ohBEh2rPHioDONOTUSETHISKEYITISANEXAMPLEONLYPhcwoDjQQ/EqI US
wezkWNX2zQJBAOiJGr7tzHY2Cg4ftfl1DJYXNkRtsR4ZoVsgcjhPVTLScfG7nO FL
pMCKE5ChYFkbYmh5knhOsYrZgBqPDxe8MBMCQFY3dv+pPZlPPx4tBRIUwFYG+X /M
xvGpwDhMaYIm5fmlwBLCBnHt8Z+kEGVwKbabVUkcLHUmYjOe0zOHAS4CVE0CQH SA
9MCCHfV//6ux4Zd5OHQebxb7qki9aKVibTefL72FyIbni6MpJgM9aq4E3GPon3 Ze
qq7SJou9izxDPrmSlLcCQBG0OYhOQWank6kWaziTY/K93vGyHQOqUM425iLQdW Wu
DHj08akKRILiTXhUYgQA9/fE/ncalK4ChvsVG0bqXZ0=
-----END RSA PRIVATE KEY-----


The first line in the file must include a specification for the ‘d=’ and ‘s=’ parameters of the DomainKeys signature (in whatever order, as long as they are both there). Per the DKIM documentation, these variables specify the domain for which you are signing (“d=”) and the “selector” that is used to form the query for the public key (“s=”). For instance, let’s say that your public key is registered as follows in the DNS:

default._domainkey.listserv.example.com IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcARWuStG7G33L+M5jqjiCbhfKBlgxIMC8Of5O DONOTUSETHISKEYITISANEXAMPLEONLY91O1RigBB/C+UXzPO+N1+hZ55ZXS8MPGPgaV9VM1EysEdy fm2Y/rn935GGJwtm67fz+6dyKkCAzLsMjR5DvcxxlMzf6Gs9TrX7PBNwIDAQAB”


The selector is “default” and the domain is “listserv.example.com”.

Important: Again, please remember that the public and private keys in these examples are purposefully invalid and cannot be used to create a live DKIM configuration for LISTSERV.


    1. Supply a DKIM_SIGN Configuration Variable

In your site configuration file, add a DKIM_SIGN= variable containing a blank-separated list of domains that you are able and willing to sign for. You can use wildcards, but only of the form ‘*.EXAMPLE.COM’. You can’t use, for instance, ‘SALES.EXAMPLE.*’. For each entry in the list, specify the key to be used, as follows:

DKIM_SIGN=EXAMPLE.COM *.EXAMPLE.COM EXAMPLE.CA(CA) *.EXAMPLE.CA(CA)


In the example we have been using above, our DKIM_SIGN variable would be

DKIM_SIGN=LISTSERV.EXAMPLE.COM


(Under unix, don’t forget to export DKIM_SIGN .)

By default, the key called DEFAULT is used (if one exists). So, in the sample above, the key for EXAMPLE.COM will be fetched from DEFAULT.DKIM whereas the key for EXAMPLE.CA will come out of CA.DKIM.