• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question DKIM: Key rollover / Policy?

B

B_P

Regular Pleskian
Dear all,

given that Plesk support DKIM key signing, I was wondering how I can actually generate new keys for a domain which already uses keys. In contrast to DNSSEC, where the procedure for rolling over keys is implemented and documented (Using DNSSEC (Linux)), I did not find anything with regard to how this works for DKIM.
Re-creating keys for DKIM could be necessary for instance when keys are compromised or when you want to change the key length. Thus, my questions related to the DKIM Keys are:
- How can I set specific parameters such as the key length and algorithm to be used when (automatically) generating the key?
- For regular roll-overs it is advised to keep the old key for a while until the new key is properly propagated and all mails using the old key are delivered. Thus, the new key should use a different selector and the old key & selector should only be deleted some days later. I assume this is not yet implemented? When disabling and enabling DKIM a new key is created but using the same selector.

One more question: DKIM, SPF, and DMARC Protection explains that the _ domainkey.<example.com> contains the DKIM Policy. Isn't this an outdated DNS record which was only used for the old version of (Yahoo) Domain Keys?
 
Hello,

At this moment, Plesk doesn't very friendly for updating DKIM keys: almost all settings are hardcoded in Plesk code, so you need manually recreate the private key, and update DNS records. More detailed instructions can be found in  How to get the DKIM public key from Plesk if DNS is not installed?

For regular roll-overs it is advised to keep the old key for a while until the new key is properly propagated and all mails using the old key are delivered. Thus, the new key should use a different selector and the old key & selector should only be deleted some days later. I assume this is not yet implemented? When disabling and enabling DKIM a new key is created but using the same selector.
Click to expand...
Yes, selector is hardcoded to 'default' as well.

One more question: DKIM, SPF, and DMARC Protection explains that the _ domainkey.<example.com> contains the DKIM Policy. Isn't this an outdated DNS record which was only used for the old version of (Yahoo) Domain Keys?
Click to expand...
No, it doesn't exacly true - although this policy can be evaluated by sender, but nowadays it mostly replaced by DMARC policy.
 
mizar said:
No, it doesn't exacly true - although this policy can be evaluated by sender, but nowadays it mostly replaced by DMARC policy.
Click to expand...

Where in the most recent RFC do you see this resource record? Also, if you have a look at major sites regarding DKIM, this resource record is never mentioned.
 
You must log in or register to reply here.

Similar threads

I
Issue DKIM public key longer than 255 chars
Replies
4
Views
1K
Peter Debik
P
P
Forwarded to devs DKIM signing records/instructions are outdated
Replies
2
Views
490
Sebahat.hadzhi
Sebahat.hadzhi
K
Resolved No DKIM key generated/shown when DNS component is not installed
2
Replies
25
Views
6K
Quotes
Quotes
C
Resolved DKIM is valid but signature fails
Replies
6
Views
4K
cmartinez127
C
LinqLOL
Resolved DKIM fails on RHEL7
Replies
2
Views
1K
LinqLOL
LinqLOL
Back
Top