LISTSERV loads the keys at startup and makes simple verifications.

26 Jul 2019 14:14:26 Loading DomainKeys private keys...
26 Jul 2019 14:14:26 -> Loaded DEFAULT (d=EXAMPLE.COM; s=TEST; RSA-1024)
26 Jul 2019 14:14:26 -> Loaded CA (d=EXAMPLE.CA; s=TEST; RSA-1024)
26 Jul 2019 14:14:26 DKIM support enabled
26 Jul 2019 14:14:26 DKIM Accelerator enabled


In particular, the ‘d=’ parameter in the key must match or be a parent of the domain you want to sign for. Thus, the key for EXAMPLE.COM can be used to sign for EXAMPLE.COM and *.EXAMPLE.COM, but not for EXAMPLE.CA. LISTSERV will skip any invalid entries. Keys are kept in memory so you can have as many as you want.

If there is no DKIM_SIGN variable or if you are running a LISTSERV version without DKIM support, LISTSERV does not attempt to load any keys and the DKIM feature is bypassed.