Resolved DKIM fails

[Kulturmensch]

Server operating system version

Ubuntu 22.04.2 LTS

Plesk version and microupdate number

Plesk Obsidian v18.0.53_build1800230619.12 os_Ubuntu 22.04

I configured my new server again to use DKIM. When I follow the Plesk manual I have simply to go to the E-Mail menue located in my domain. When I choose DKIM a window pops up showing the key I had to copy/paste in my external DNServer.

(All keys are anonymized)

This is the key I found:
"v=DKIM1;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNLSCBiQKBgQC/WGr1PRmUF9QB2aSYhH6vYH5XcxTsbSjEeV0bLwARL6Ujctt5S8wQVtG6OghLiAOTKZH3f/1R9HCpfEjxIdxma+V1skCckPV6tAaVdRwUvpPJs8NuVgmzK1g8RVO2KlBDOx2Wq032isUHRQF8Kpq7us8a7Cx4eFSUjBslB6bLWwIDAQAB;"

Having done this I found this result in the header of an Test-E-Mail:

dkim=fail (1024-bit key) reason="fail (bad RSA signature)"

So I went back thinking about a copy/paste error and looked again for the key but now the key has changed.
Just opening the DKIM-menue I got a new key:

"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBADEAA4GNADCBiQKBgQDCn2EdyBphNGLsffKunYQYAVe1mJZKwI5buB8Yx9KqBqquwZGCUihYzOdknurTVanj+RwY+PfiMpIKXS46SAYwkJkiJqKb78uRUVGdE+FceDgKnAQxBj+jLR03+XcXnLp1pmw33lRFNOcTWRFyZQWl2omXIOWHCCLt4IpIV/5ZAwIDAQAB;"

and closing saving and opening the next one.

"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7iwiiTgy1OTVVDL78gJbhJk1mrGkswvkX1QwwTgE009Ob7I89VI09M0mdGDa/9RlNTDXwWyL7f+Pu1OQS9UfEkeQsXq7VdS8aD6PgWR2myuZ154tvi9tGi3rvqjaVauCxgvyk25RaDTbMZEsZNLx7XLb2zD4L+vE5e3rtzCuOQQIDAQAB;"

3 Questions:
1. Is it the expected behaviour that any time I open the "DKIM-Menue" in website/domain/E-mail I get a new key?
2. Concerning the syntax, do I have do copy the key with or without brackets in the external DNServer by the host of my server?
3. Do I have to copy the key as received above also in the DNS-Konfiguration of my domain and in the standard dns template, too?

Any idea, what my mistake was?s one, too. Same error. I tried some minor modifications (key with brackets and without,

 

[Kulturmensch]

Found the failure now. The resolv.conf was the problem as this file is continously overwritten with the standard entries

nameserver 127.0.0.53
options edns0 trust-ad
search .

If the following modification is available then DKIM works.

nameserver 127.0.0.1
nameserver 127.0.0.53
options edns0 trust-ad
search .

So the next problem is to make the resolv.conf permanent.

 

[MarkM]

Is NetworkManager in use? If so, kill it.

 

[Kulturmensch]

So, finally I got DKIM work and I would like to share here my lessons learnt. The problem was, that I did not know, that Plesk generates a new KEY-Pair each time you push the DKIM button in /Websites&Domains/(MyDomain)/E-Mail Konfiguration/DKIM.
So, making an entry in an external DNServer and going back to Plesk checking the spelling etc. following the same way leads to a new Keypair and the entry in the external DNServer becomes automatically unvalid.
In addition modifying the resolv.conf in parallel leads to the effect, that somtimes (if this file is permanent for a while), the "old Key-pair" is used as comes from the stub-resolver and it seems, that everything works fine ... until resolv.conf is overwritten again.

To avoid my problems, the following steps are recommended.

1. Enable DKIM in Plesk as mentioned above and copy/paste the shown public key in an editor (nano, vim etc).
2. Check the default._domainkey.tenckhoff.de. entry in Plesk (MyDomain) whether the new public key complies to the copied one.
3. In case you would like to make entirely shure, that you using the right public key, oben an ssh-session and use the following command to see the current valid public key for your domain (root rights are required) root@mail:~# openssl rsa -in /etc/domainkeys/(MyDomain)/default -pubout
4. Do not open again the DKIM Konfiguration of Plesk as a new key-pair would be provided and your p-key by step one would become unvalid.
5. Paste now the p-Key of step or 3 in the appropriate section of the external DNServer in the following form without brackets, semicolon's required:
v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCb1YXXXXXXXXXXXXbwXrV8KNuJlmAnMeGn4ZHm8gykAH644OG/j4M2OLxt8ikfMy9T3rBR9kahRYDJDxiM3aXXXXXXXXXVwwuG4+Y1zj3Qzwvn20dWooplwXXXXXXXXXRMwIDAQAB; (anonymized)
6. Wait and then test the result
internally XXX.MyDomain.com => YYY.MyDomain.com

 

[Kulturmensch]

2nd part as I missed the time limit for editing.

6. Wait and then test the result
a) internally with XXX.MyDomain.com => YYY.MyDomain.com
b) externally XXX.MyDomain.com to an E-Mailaddress where your can read the headers of your received E-Mail

7. Test your DKIM Konfiguration with an online-service i.e. DomainKey-Prüfung - DomainKey überprüfen - DomainKey-Validator - DomainKey Test

This worked for me at the end, is independent from resolv.conf-configuration and helps maybe others to succeed with the important DKIM-feature, too.
(Would be good, if the Plesk Gurus could review my recipe and perhaps provide some more information in the Plesk manual or put this text in ressources)