I'm not sure about perfectly safe. Preventing any sort of file from being served (including dot files) depends on the web server being configured correctly, but XF does expect that the src/
directory is not served. For DKIM, we store generated private keys in the internal data mount point with a random file name.
Are you distributing a private key in the add-on itself? You could also consider storing it as a string in PHP to reduce the likelihood of it being served, but I guess that depends on your exact needs.