After I announced eQmail 1.08 I was asked how to do DKIM signing. Thus it forces me to review my existing DKIM stuff and create a package: qmail-xdkim. It is based on - I would say so - conceptional work by Kyle Wheeler and Joerg Backschues (found here), but I extended it to reach more smoothly flexibility. Nevertheless I do not use the deprecated preceding domainkeys stuff.
qmail-xdkim is a small suite of three scripts to handle DKIM signing and verifying. It contains
and related man pages. All three tools are depending on libdkim. I recommend to use my libdkim fork xdkim, which has some improvements. However, this article doesn't explain how DKIM (libdkim/xdkim) works.
qmail-xdkim itself does not patch any files. It plugs into pipes of qmail programs. See the related paragraphs qmail-sdkim and qmail-vdkim how to do this. Btw, this shows one of the big advantages of (net)qmail, for sure it is not really a clean solution by renaming the original binaries (see below for alternatives too). Back, thus qmail-xdkim should work with any derivative of qmail.
/*
In general rename  qmail-remote 
and call the renamed binary by  qmail-sdkim 
as well rename  qmail-queue 
and call the renamed binary by  qmail-vdkim  
.
*/
/* was tested and is working with eQmail 1.08.1, netqmail-1.06 and will work with the upcoming version eQmail 1.09. */
qmail-xdkim is available as openqmail-extra package (download): qmail-xdkim (pre-release)
qmail-xdkim will be discussed on the openqmail mailing list.
Unfortunately there is no install routine at the moment. So it is a bit manual work. Assuming your qmail installation is in  /var/qmail  
, do:
$ cp mkdomainkey qmail-sdkim qmail-vdkim /var/qmail/bin $ cp *.8 /var/qmail/man/man8 $ cd /var/qmail/bin $ chmod 755 mkdomainkey qmail-sdkim qmail-vdkim $ chown root:qmail mkdomainkey qmail-sdkim qmail-vdkim
Alternative use the user qmail{d,r} instead, but make sure to set proper access rights in several needed places. It is may be a good idea to add  /var/qmail/bin 
to your $PATH variable as well the man page folders to $MANPATH.
As mentioned above I recommend xdkim, so it should be installed now too. In case libdkim will be choosen, edit the variable $XDKIM in  qmail-sdkim 
and  qmail-vdkim 
to XDKIM=libdkimtest.
This part creates the domainkeys for a given domain:
$ ./mkdomainkey example.com Generating RSA private key, 1024 bit long modulus ................++++++ .....++++++ e is 65537 (0x10001) writing RSA key TXT record for BIND: default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzeOXKJSQPkL5lnNtKFvvgCMYIeh+brPGVbZUMHuh7MvbBXxubQjupcpE2MlvONr6FsUZ+6/Lx72hjLkTeffi5G/oNRMzYjvw9lo8HdVHLV2uG1q8HOtjd/0yWlr8+MiaWElVIfPa58eJA5aEklltKNl4C2kqoYJTEpO+V13Lr/QIDAQAB"
The new domainkeys with selector default will be created in  /etc/domainkeys  
. Another selector can be chosen by using the  -s 
switch. The TXT record is formatted to be added to a bind nameserver (all in one line).
 Attention! Do not have backslashes in a TXT record!  This will be a cause that verification fails. Some versions of  dig 
add these backslashes to the output, so there was a misunderstanding that they have to be in the original record.
The TXT record can be shown for a domain at any time with
$ mkdomainkey -p example.com
 qmail-sdkim 
inserts a DKIM signature to an outgoing mail.  qmail-sdkim 
should create valid DKIM signatures by default. The default parameters used with  xdkim 
are tested to work with Google (gmail.com). Nevertheless, edit it to your needs if necessary.
 qmail-sdkim 
have to be executed before  qmail-remote  
. I highly recommend to use my qmail-bfrmt patch to do this, not only because this is more fault-tolerant. It is the way I do it and it (should ) work(s) out-of-the-box together.  qmail-sdkim 
calls  qmail-remote 
by itself with the necessary parameters.
Read the included man page(s) for more details, as well the documentation of qmail-bfrmt too.  qmail-sdkim 
uses  splogger 
to log to the syslog.
An alternative is to do it along an old-school way (by renaming binaries):
$ cd /var/qmail/bin $ mv qmail-remote qmail-remote.bin $ ln -s qmail-sdkim qmail-remote
 Important:   By default the variable $DKREMOTE points to  qmail-remote.bin 
and assumes that  qmail-sdkim 
is in the same directory! Change this if necessary, either in the script  qmail-sdkim 
itself or by setting as environment variable somewhere before to overwrite it (e.g. in the run script).
This tool is still considered experimental, a beta version. It is NOT ready for production out-of-the-box yet!
There are several points where to plug  qmail-vdkim 
into the incoming pipe. The important thing is that it have to be invoked before  qmail-queue  
. if you have the qmailqueue patch then the environment variable $QMAILQUEUE can be used, e.g. in the run file:
QMAILQUEUE=/var/qmail/bin/qmail-vdkim tcpserver ...
Beware that  qmail-vdkim 
calls  qmail-queue 
by itself (default).
There is still an old-school way too, somehow like:
$ cd /var/qmail/bin $ mv qmail-queue qmail-queue.bin $ ln -s qmail-vdkim qmail-queue
Edit/set the $DKQUEUE variable to the real  qmail-queue 
binary.
DKIM signatures have to have  CRLF 
line endings. Otherwise the verification will fail.  qmail-vdkim 
uses the tool  unix2dos 
to convert line endings. Install if if necessary. If a DKIM signature was found in the message,  qmail-vdkim 
adds a header X-Authentication-Results.