To enable DKIM, you first need to generate the key, with openssl genrsa -out /srv/example.com/config/dkim.key - this is the private key which will be used to sign outgoing email.
Looking at the man page for openssl it says that genrsa has been superseded by genpkey.
genpkey
Generation of Private Key or Parameters.
genrsa
Generation of RSA Private Key. Superseded by genpkey(1).
Does this mean that the wiki should be updated to use genpkey instead?
Additionally, does the DKIM only need to be done for the default hostname of the server, with the same DKIM being used for all of the sites hosted, or does each site have a separate DKIM signature?
If its the same for both Stretch and Buster, then yes, however off the top of my head it’s only Buster which is affected, and the end result is the same, so it should be fine.
Maybe add a note/alternative to the wiki?
Each sending domain needs to have it’s own DKIM configuration, along with the relevant DNS entries.
You can use either - as genpkey serves the same function but provides more key type options than just RSA, but you’d also need to adjust the syntax.
You can just use genrsa as it’ll work the same, but I’ve added to this to the list of things that should probably be wrapped in the sympl command line.