Resolved DKIM/DomainKey with external DNS ?

[KiamOe]

I want to setup signing of outgoing mail with DKIM but I do not use the DNS feature in Plesk, I have this externaly.
As I can see the documentation is a bit unclear saying that I cannot do this, right???

https://docs.plesk.com/en-US/17.0/administrator-guide/mail/antispam-tools/dkim-protection.59433/
Important: DKIM validation works only for real domains that use the Plesk's DNS server. It will not work if you use an external DNS service because Plesk must be able to add the DKIM-related records to the DNS zone of a domain.

I assume that the correct answer would be that it has to be done "manually" outside of Plesk, right?
So then MY question would be whats the best / most correct way to setup DKIM while running a pretty "standard" plesk / Centos 7 / postfix system with EXTERNAL DNS?

OpenDKIM?

Looks like there are more with this problem:
https://talk.plesk.com/threads/how-...erface-if-i-dont-use-local-dns-server.339856/

K

 

[UFHH01]

Hi KiamOe,

I assume that the correct answer would be that it has to be done "manually" outside of Plesk, right?

Absolutely correct. Just copy the depending ( additional entries ) from Plesk to your external DNS - service for the specific domain.

So then MY question would be whats the best / most correct way to setup DKIM while running a pretty "standard" plesk / Centos 7 / postfix system with EXTERNAL DNS?

Plesk will create the following TXT - entries:

default._domainkey.YOUR-DOMAIN.COM.
_domainkey.YOUR-DOMAIN.COM.

You just have to "manually" create these TXT - entries at the control panel of the DNS - service - provider ( or at the control panel of your domain registar! ), with the corresponding values, that you see in your settings at "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"

 

[KiamOe]

Hi, thanks for getting back to me so quick.

So I just use some (external tool) to generate the keys.. and update in DNS.. that's easy enough. But something would have to be done at my servers/plesk/centos end as well so outgoing mails are signed? Or Plesk will do this automatically if I fix the dns part externally and activate signing of outgoing in plesk?

Hmm.. don't make sense to me. Sounds too easy.

 

[UFHH01]

Hi KiamOe,

So I just use some (external tool) to generate the keys.

No. You JUST use Plesk and it's configuration options ( DKIM - signing enabled ). Nothing more.... nothing less.

Pls. USE the helping hand, that Plesk offers you and install a local DNS - server and the depending Plesk components, even if you use an external DNS - service. You could find this very usefull for other issues as well, in case of DNS - issues, you just have to have a look at the Plesk settings and you can see easily, if possible additional entries are necessary at the control panel of your DNS - service.

 

[anebi]

Hi,

This answer is not good enough. You say that we must have always installed DNS server with plesk in order to be able to see and get the DKIM key from the panel. This doesn't make sense, especially if you don't want to have DNS server on this host for different reasons. It is best if Plesk shows the keys somewhere no matter if DNS server is installed or not, so you can easily go and grab the key and put it to external DNS server.

Regards,
Ali Nebi

Hi KiamOe,


Absolutely correct. Just copy the depending ( additional entries ) from Plesk to your external DNS - service for the specific domain.



Plesk will create the following TXT - entries:

default._domainkey.YOUR-DOMAIN.COM.
_domainkey.YOUR-DOMAIN.COM.

You just have to "manually" create these TXT - entries at the control panel of the DNS - service - provider ( or at the control panel of your domain registar! ), with the corresponding values, that you see in your settings at "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"

 

[UFHH01]

Hi anebi,

You say that we must have always installed DNS server with plesk in order to be able to see and get the DKIM key from the panel. This doesn't make sense, especially if you don't want to have DNS server on this host for different reasons.

Well, it might not make sense to you, but the current ( optional ) Plesk component to use DKIM - signing depends on a local DNS server, as clearly stated in the Plesk documents:

Important: DKIM validation works only for real domains that use the Plesk's DNS server. It will not work if you use an external DNS service because Plesk must be able to add the DKIM-related records to the DNS zone of a domain.

I'm sorry that I can't help with another answer and pls. feel free to suggest a feature request at => https://plesk.uservoice.com

 

[anebi]

Hi hi,

Thank you for your reply

I know that doc states this, but DKIM implementation in the way stated in documentation only tells us users that it doesn't cover all use cases. We need that functionality implemented in a way that will give us chance to use it in different scenarios (with and without local dns). As you know DKIM is already very important part of email delivery process and is important to be created correctly.

Such suggestion was already added by me long long time ago, but nobody cares what we users think.

You can find here my suggestion topic: https://plesk.uservoice.com/forums/...bility-to-activate-dkim-and-domainkey-without

Regards,
Ali Nebi

Hi anebi,


Well, it might not make sense to you, but the current ( optional ) Plesk component to use DKIM - signing depends on a local DNS server, as clearly stated in the Plesk documents:

I'm sorry that I can't help with another answer and pls. feel free to suggest a feature request at => https://plesk.uservoice.com

 

[Justin Ponce]

Hi there UFHH01,

I was able to get DKIM working fine on an external DNS using the instructions above (copying the TXT entry from my Plesk-installed DNS BIND zone files). I have one issue that seems to be really impacting me though: The individual domains all have DNS zone files, but the main host does not have a zone file that I can find. I have DKIM configured, but emails sent by the main host (directly by plesk) continue to fail DKIM check. Here's my example:

I have westcoast.mydomain1.com as my host which hosts:
mydomain1.com,
mydomain2.com,
mydomain3.com, etc.

All three hosted domains pass DKIM checks because I can find the zone files for each, then copy over the TXT entries I need. What can I do about the westcoast.mydomain1.com DNS zone file? Is it hiding somewhere and I have yet to be able to locate it?

Thanks in advance and have a great day.

 

[UFHH01]

Hi Justin Ponce,

your subdomain "westcoast.mydomain1.com" inherits the DKIM - settings from your MAIN - domain "mydomain1.com", so you don't have additional DNS - entries for your subdomain. Pls. keep in mind, that a SUBdomain is never a MAIN - domain, even that you may have started your subsciption setting with it. In general you should start with your MAIN - domain as subscription and add additional domains and depending subdomains under it.

If you need further help here, you have to step out of anonymity, due to the fact, that people willing to help you can't investigate your issue, based on facts.
The mail - log, will as well help to investigate possible issues/errors/problems, so pls. consider as well to add them with corresponding entries ( there is no need to provide the whole daily log, just the corresponding errors/issues/problems, pls.! ).

 

[Justin Ponce]

Understood, here are more details of the issue plaguing me:

I'm running, say, half a dozen VPS hosts, each running an installation of Plesk Web Admin or Web Pro depending on their needs.

My main domain is fissionblue.com, where I use fissionblue.com and www.fissionblue.com for the company site. Each of the VPS hostnames are running as subdomains. For example:

uswest-000.fissionblue.com
useast-002.fissionblue.com,
useast-007.fissionblue.com,
seasia-000.fissionblue.com, and so on.

uswest-000.fissionblue.com hosts website & email system for:
fissionblue.com / www.fissionblue.com,
darklotusdigital.com / www.darklotusdigital.com, and so on.

DKIM verification fails anytime Plesk sends an automated email from any of the VPS hosts, but I have it so that DKIM passes just fine for emails sent from a main domain. How can I (or where can I look to) get the DKIM TXT entry data needed for the Plesk emails to pass verification?

EDIT: I apologize for the automatic link insertion. Not my doing.

 

[UFHH01]

Hi Justin Ponce,

DKIM - signing is used with SMTP - authentification, while you are asking, why mails from Plesk ( using PHP - Mail ) are not signed. The very same is for other scripts on your server, using PHP - Mail, instead of SMTP - authentification.

If you desire Plesk - notifications with DKIM - signing, you could consider to open a feature request at => https://plesk.uservoice.com , describing your wishes and including the buisiness case for your request.

 

[Justin Ponce]

I see. Are you aware of any SMTP relay option available, i.e. making the plesk mailer function "login" to the SMTP server to send emails (thereby fixing the DKIM problem)? Or is that what you meant by recommending I submit a feature request?

 

[UFHH01]

Hi Justin Ponce,

Or is that what you meant by recommending I submit a feature request?

There is no such current feature in Plesk.

I must admit, that I doubt that such a feature request will get lots of votes, because the Plesk Control Panel has to send notifications, without any configured eMail - accounts on your server, but this could be a good additional feature for the "Multi-Server Extension".

 

[Justin Ponce]

True. The issue I'm having right now is they usually end up in the spam/junk folder for gmail, outlook, etc., pre DKIM and of course after. Yes that would be a great feature for the Multi Server Extension for sure. Thanks for looking into this. I'll see what I can do for now.

 

[toomanylogins]

Can anybody please confirm if possible to DKIM sign outgoing mail from my exchange server via plesk. If so how to setup.
Exchange does not support DKIM
I currently have mail turned off for the domain and route incoming via /etc/postfix/main.cf and relay_domians to exchnage
Can I route outgoing via plesk and sign ?
Thanks
Paul

 

[G J Piper]

Absolutely correct. Just copy the depending ( additional entries ) from Plesk to your external DNS - service for the specific domain.
Plesk will create the following TXT - entries:

default._domainkey.YOUR-DOMAIN.COM.
_domainkey.YOUR-DOMAIN.COM.

You just have to "manually" create these TXT - entries at the control panel of the DNS - service - provider ( or at the control panel of your domain registar! ), with the corresponding values, that you see in your settings at "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"

Hey UFHH01:
I have a DNS server running on my server, but I use an external DNS configuration too — at Godaddy's DNS. So, I have all my domains running in Plesk with DNS set as a slave: "The Plesk's DNS server acts as a secondary name server for the DNS zone..."

Here are my questions:

• If I turn on DKIM for outgoing messages on a domain, then I turn that domain's Plesk DNS settings to "primary" to show the DKIM entry in my Plesk UI, then copy the DKIM settings to my Godaddy DNS "primary" server, then turn the domain's settings back to act as a secondary DNS server again, would the DKIM outgoing work?
• Also, does the DKIM DNS key ever change, or is it the same from the point I create the domain, unchanging?
• If it does ever change, what are the circumstances that cause it to change?

Sorry for so many questions about this, but I think it will help all of us external DNS users.
Thank you for your help!

 

[learning_curve]

Not the specific answers that you're looking for @G J Piper but just in case it helps:

Here are my questions:

• If I turn on DKIM for outgoing messages on a domain, then I turn that domain's Plesk DNS settings to "primary" to show the DKIM entry in my Plesk UI, then copy the DKIM settings to my Godaddy DNS "primary" server, then turn the domain's settings back to act as a secondary DNS server again, would the DKIM outgoing work?
• Also, does the DKIM DNS key ever change, or is it the same from the point I create the domain, unchanging?
• If it does ever change, what are the circumstances that cause it to change?

Plesk DNS is NOT enabled on any domain that we host.
We ONLY use external DNS. The DNS provider has many DNS servers, so there's no lack of DNS reference etc
DKIM is enabled (via Plesk Panel) for ALL incoming and outgoing e-mails, on all of our domains
DKIM is enabled via third party API for ALL outgoing PHP generated (phpmailer) e-mails (on domains that use this)
The Private keys that are provided by Plesk are 1024 bit. These were removed from our server
We generated all of our own 2048 bit DKIM keys here: https://port25.com/dkim-wizard/
The Public keys are all located correctly in our external DNS record sets
The Private keys are all located on our server here; /etc/domainkeys/*domain-name*/
DKIM works perfectly on all of our normal outgoing e-mails and on all of our PHP generated (phpmailer) outgoing e-mails

FWIW We were also concerned about DKIM keys being re-generated by Plesk and then overwriting the ones we had created, but it's never, ever happened to date. We haven't switched Plesk DNS on/off/on/off as you may want to do though... We've only ever switched Plesk DNS off (where it has remained) and that was before we used the port25 process on each domain...

If you have enough time and one 'spare' domain to experiment on, a bit granny / eggs etc but you may know that you could probably determine all of the answers to those questions, by running a step by step change process. If the domain is 'spare', then there's no loss of service for anyone and there's no knock-on effects either, to any other domain, because it's only outgoing messages that you've mentioned and that's switched on/off at the domain within Plesk Panel as you're already aware.

 

[toomanylogins]

I have following situation and not sure how to resolve. I use an external DNS and I follow the instructions above to enable the Plesk DNS and I copied the settings. I have a valid key according to Check a DKIM Core Key
https://dkimcore.org/c/keycheck
With regards to the mail service I have this turned off as I'm using postfix to relay incoming and outbound emails using our exchange server.

mynetworks is which ip addresses to accept mail from to forward.
relay_domains is for the inbound which domains should use the transport

This all works very well and my exchange server uses a different DKIM key when sending Mail directly.

The problem of got is when I generate email from the joomla website using phpmailer. As the mail services deactivated it looks like the emails are not signed. Could someone give me an idea how to incorporate DKIM for phpmailer ?

I also tried send my mail using smtp on localhost and sendmail with same result.

Thanks

 

[toomanylogins]

I resolved this for joomla by editing /var/www/vhosts/example.com/httpdocs/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php
as per this post
Resolved - Location > DKIM verification > Plesk milter (Postfix) / Postfix within Plesk
using the keys generated via plesk dns and copied into external dns.

 

[forza]

This is correct, as UFHH01 mentions.
default._domainkey.YOUR-DOMAIN.COM.
_domainkey.YOUR-DOMAIN.COM.

You just have to "manually" create these TXT - entries at the control panel of the DNS - service - provider ( or at the control panel of your domain registar! ), with the corresponding values, that you see in your settings at "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"

Just temporary ENABLE the Plesk DNS service for 1 minute, copy the values to your external DNS settings.
And then just DISABLE the DNS service again.
Confirmed to work with my mail server !