diff --git a/ChangeLog b/ChangeLog
index ca5c121..e116016 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,8 @@ UNRELEASED Version 0.7.0
     - Add command line options to dkimsign.py to select header and body
       canonicalization algorithmns (LP: #1272724)
     - Add command line option to dkimsign.py to select signing algorithm
+    - For dknewkey.py make default to include h=sha256 in the DNS record to
+      exclude usage with sha1.  Can be overriden.
 
 2017-05-30 Version 0.6.2
     - Fixed problem with header folding that caused the first line to be
diff --git a/dknewkey.py b/dknewkey.py
index d9e2ce5..038f3b5 100644
--- a/dknewkey.py
+++ b/dknewkey.py
@@ -17,6 +17,8 @@
 #
 # Copyright (c) 2016 Google, Inc.
 # Contact: Brandon Long <blong@google.com>
+# Modified by Scott Kitterman <scott@kitterman.com>
+# Copyright (c) 2017 Scott Kitterman
 
 """Generates new domainkeys pairs.
 
@@ -34,6 +36,9 @@ import tempfile
 # how strong are our keys?
 BITS_REQUIRED = 2048
 
+# limit to rsa-sha256?
+HTAG='sha256'
+
 # what openssl binary do we use to do key manipulation?
 OPENSSL_BINARY = '/usr/bin/openssl'
 
@@ -60,7 +65,10 @@ def ExtractDnsPublicKey(private_key_file, dns_file):
     os.unlink(working_file)
   dns_fp = open(dns_file, "w+")
   print >> sys.stderr, 'writing ' + dns_file
-  print >> dns_fp, "k=rsa; p=%s" % output
+  if HTAG:
+      print >> dns_fp, "k=rsa; h={0}; p={1}".format(HTAG,output)
+  else:
+      print >> dns_fp, "k=rsa; p=%s" % output
   dns_fp.close()