Facebook
Twitter
For the last few days, I couldn't get any external e-mail to verify my DKIM. It sent e-mails and resolved DMARC and SPF just fine. But I literally just FINALLY got it, and since I've come across many others distributed across several forums who've run into this problem, here's everything. It seems that some people have just gotten sick of trying to figure out the answer, and so they ended up installing something different or tried to redo everything.
TL;DR:
The main takeaway from this post for anyone who comes across it in search for answers is that Plesk apparently does not get along with OpenDKIM and its Milter configurations, so if you're using OpenDKIM, then you need to set it up differently.
----------------------------------------------------------------------------------------------------
DKIM check failure (the problem):
When I would send an e-mail to my Gmail account, I would get "DKIM fail".
----------------------------------------------------------------------------------------------------
Adding the DNS record:
I'm using DigitalOcean DNS, and I added:
----------------------------------------------------------------------------------------------------
Plesk's "enable DKIM" feature":
If you've searched through the web panel, you'll notice there are 2 places to turn on DKIM (plus however many extra servers you may have).
#1 is under Tools and Settings → Mail Server Settings → DKIM spam protection → "Allow signing outgoing mail"
Turn that off (uncheck it).
#2 only exists if you didn't turn it off from the Tools and Settings. It's under Mail → Mail Settings → mywebsite.com → "Use DKIM spam protection to sign outgoing email messages"
If you already turned it off at the Tools and Settings level, then it should disappear from here (it's normally just above "Switch on greylisting..."). If it's disappeared, then you're gravy. But you're probably gravy anyway. The good kind.
----------------------------------------------------------------------------------------------------
Setting up DKIM:
Follow Linux Babe's guide here: How to Set up SPF and DKIM with Postfix on Ubuntu Server written by Xiao Guoan.
Go down to the section labeled "Setting up DKIM", and follow her awesomely clear instructions.
----------------------------------------------------------------------------------------------------
Getting your OpenDKIM keys (instead of Plesk DKIM keys):
The location from which I grabbed my public key was
(I've also previously tried /etc/domainkey/mywebsite.com/default, but since I don't understand how Plesk overwrites DKIM/Milter settings and how to get that to connect and verify with other servers, I've decided to just not use what Plesk provides. I went through my web panel settings and instead turned off every option to "Use DKIM to...", so that it's strictly the server doing its job, instead of having Plesk trying to do it.)
You can get the full DKIM-needed values by using:
If you JUST want to get the public key from the private key in an easier way, without having the double spaces, quotes, v=, h=, etc added in, you can use (for example, if you already have the DKIM format saved that you want to use):
If you've found yourself over at the Plesk help pages like I did, you'll notice they send you to the /etc/domainkeys folder. Don't worry about doing that.
----------------------------------------------------------------------------------------------------
/etc/postfix/main.cf
Please take note here, that the "smtpd_milters" value is not the same as the "smtpd_milters = , 127.0.0.1:12768" value that is used by the Plesk default (since Plesk doesn't get along with OpenDKIM).
----------------------------------------------------------------------------------------------------
Adding this for search engine (SEO) purposes, to help others who may have this same issue:
DKIM fails when sending email to gmail account, checking DKIM, how to set up DKIM on Plesk.
----------------------------------------------------------------------------------------------------
This is what I know worked for me to finally get "DKIM pass".
Of course, if anyone sees anything here that's wrong or should be done better, please correct me.
TL;DR:
The main takeaway from this post for anyone who comes across it in search for answers is that Plesk apparently does not get along with OpenDKIM and its Milter configurations, so if you're using OpenDKIM, then you need to set it up differently.
----------------------------------------------------------------------------------------------------
DKIM check failure (the problem):
When I would send an e-mail to my Gmail account, I would get "DKIM fail".
----------------------------------------------------------------------------------------------------
Adding the DNS record:
I'm using DigitalOcean DNS, and I added:
so that the DigitalOcean record shows:
(Do not make the mistake of adding the base domain twice.)
----------------------------------------------------------------------------------------------------
Plesk's "enable DKIM" feature":
If you've searched through the web panel, you'll notice there are 2 places to turn on DKIM (plus however many extra servers you may have).
#1 is under Tools and Settings → Mail Server Settings → DKIM spam protection → "Allow signing outgoing mail"
Turn that off (uncheck it).
#2 only exists if you didn't turn it off from the Tools and Settings. It's under Mail → Mail Settings → mywebsite.com → "Use DKIM spam protection to sign outgoing email messages"
If you already turned it off at the Tools and Settings level, then it should disappear from here (it's normally just above "Switch on greylisting..."). If it's disappeared, then you're gravy. But you're probably gravy anyway. The good kind.
----------------------------------------------------------------------------------------------------
Setting up DKIM:
Follow Linux Babe's guide here: How to Set up SPF and DKIM with Postfix on Ubuntu Server written by Xiao Guoan.
Go down to the section labeled "Setting up DKIM", and follow her awesomely clear instructions.
----------------------------------------------------------------------------------------------------
Getting your OpenDKIM keys (instead of Plesk DKIM keys):
The location from which I grabbed my public key was
(I've also previously tried /etc/domainkey/mywebsite.com/default, but since I don't understand how Plesk overwrites DKIM/Milter settings and how to get that to connect and verify with other servers, I've decided to just not use what Plesk provides. I went through my web panel settings and instead turned off every option to "Use DKIM to...", so that it's strictly the server doing its job, instead of having Plesk trying to do it.)
You can get the full DKIM-needed values by using:
which will produce the full value that you need to input to your DNS (assuming you're not using Plesk DNS). Copy and paste everything within the quotes to a text editor, remove the quotes and extra spaces.
If you JUST want to get the public key from the private key in an easier way, without having the double spaces, quotes, v=, h=, etc added in, you can use (for example, if you already have the DKIM format saved that you want to use):
Of course, you'll still need to delete the line breaks, but that's less irritating than going through that concatenated mess.
If you've found yourself over at the Plesk help pages like I did, you'll notice they send you to the /etc/domainkeys folder. Don't worry about doing that.
----------------------------------------------------------------------------------------------------
/etc/postfix/main.cf
Please take note here, that the "smtpd_milters" value is not the same as the "smtpd_milters = , 127.0.0.1:12768" value that is used by the Plesk default (since Plesk doesn't get along with OpenDKIM).
----------------------------------------------------------------------------------------------------
Adding this for search engine (SEO) purposes, to help others who may have this same issue:
DKIM fails when sending email to gmail account, checking DKIM, how to set up DKIM on Plesk.
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail [email protected] header.s=default header.b=codes
spf=pass (google.com: domain of [email protected] designates 123.456.789.000 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mywebsite.comDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mywebsite.com; s=default; t=1595293430; bh=EULTNZ...somekeyhere; h=Subject:To:From; b=EwwWw...somekeyhere=
Authentication-Results: mail.website.com;
spf=pass (sender IP is 123.456.789.000) [email protected] smtp.helo=sender
Received-SPF: pass (mail.website.com: connection is authenticated)----------------------------------------------------------------------------------------------------
This is what I know worked for me to finally get "DKIM pass".
Of course, if anyone sees anything here that's wrong or should be done better, please correct me.
