Add support for DKIM key management

After bumping the generation of new DKIM keys to RSA 2048 in NixOS 25.11
key rotation for existing users could not be done safely.

To resolve this situation we now support multiple generations of
selectors per domain to enable proper DKIM key transitions as described
in RFC6376 3.1. The added documentation introduces and motivates DKIM
and guides the user through a DKIM key rotation.

Additionally, DKIM key material can now also be treated as a managed
secrets when autogenerated state on the mail server host is undesirable.

This change is fully backwards compatible in behavior and will continue
to use the previously generated DKIM key without any additional
configuration up until the point when DKIM selectors are configured
explicitly.

docs/release-notes.rst

@@ -11,6 +11,12 @@ NixOS 26.05
   :option:`mailserver.x509.privateKeyFile` instead. Support for automatic
   creation of self-signed certificates has been removed.
   Check the updated `setup guide`_ for a basic ACME HTTP-01 example.
+- `DKIM key management`_ is now available with multiple concurrent selectors per
+  domain enabling proper DKIM key rotation. While we still generate a default
+  key for backwards compatibility we now also support passing pre-created
+  key material. If your DKIM keys were automatically created before the 25.11
+  release they are 1024 bit RSA keys and should be rotated out.
+  See :option:`mailserver.dkim.domains` for further relevant options.
 - Cleartext password files can now be configured for login accounts. This
   is an alternative to hashed passwords that integrates well with workflows
   established by `agenix`_/`sops-nix`_ that instead rely on encryption. This
@@ -18,6 +24,7 @@ NixOS 26.05
   See :option:`mailserver.loginAccounts.<name>.passwordFile`.
 
 .. _setup guide: setup-guide.html#setup-the-server
+.. _DKIM key management: dkim.html
 .. _agenix: https://github.com/ryantm/agenix
 .. _sops-nix: https://github.com/Mic92/sops-nix