Question DKIM on domain with external DNS

[Abdelkarim Mateos]

I read guide for Enabling DKIM

Yet I am amazed. Perhaps I have not understood the matter due to my difficulty with English.

DKIM is a typical signature system based on a public / private pair.

In all the servers that I work (cpanel, vesta, ISPConfig, without control panel or baremetal), the thing is simple.

One can have DNS installed, and use the facility of said panel to activate DKIM and have the panel create and use the pair of keys in order to sign outgoing emails.

In the chaos of not having a control panel, well, it's time to create the signature files, manually by SSH, but the question is the same and logical.

1. Create the public and private signature pair
2. Configure the system so that the mail server signs outgoing mail
3. Create the TXT record with the corresponding selector.

Good. On my client's server, DNS is activated since there are domains that use the DNS of that plesk, and others that use external DNS.

So, thanks for this, if we activate the DKIM in the xxxx.com domain, plesk creates two entries

• default._domainkey.
• _domainkey.

With the data of both we can create or clone the zone record in our external DNS server.

This works on all the servers that I manage, except Plesk Obsidian and I find that their documentation tells me that the way that exists is to "turn off the dns" since otherwise plesk will sign the emails but the remote server will not be able to verify the shape.

Well, I must have gotten lost, because the remote mail server will never consult the signature with the plesk DNS, but with the domain delegated dns, where we already have the DKIM zone registry.

Certainly, I cannot find an explanation or solution to something as simple as using external DNS and DKIM.

 

[learning_curve]

Hello @Abdelkarim Mateos Not sure that you're lost, maybe nothing more than just mis-understooding some of the context of the Plesk explanations?

Using DKIM on all domains, all with external DNS and all hosted on the same Plesk Obsidian hosting server, does work perfectly. We have used this setup for some time now (even back on Plesk Onyx before Obsidian) and without any issues.

The only thing we have not done, that you may want to do, is; Use DKIM with External DNS on some hosted domains, but use DKIM with Plesk DNS on all of the other hosted domains and... with all domains on the same Plesk hosting server. However, that should still be possible (we think!) due to the content of last sentence shown in the "Switching Off The DNS Service" item below, although we have never tried this ourselves, to date.

In the case of; Using DKIM on all domains, all with external DNS and all hosted on the same Plesk Obsidian hosting server, then the Plesk guide is correct:

This: Enabling DKIM Email Signing (attached image)
Plus this: Switching Off the DNS Service (attached image)
Then this:  How to get the DKIM public key from Plesk if DNS is not installed? IF using the default Plesk keys & needing the public key for your external DNS.

Or, you can generate a new set of keys instead. There are many service providers, HERE is just one of the many that are available, then, double / treble check all is okay, say initially HERE and then independently, say: HERE - There are many, different service providers for these kind of tests too.

Note: IF you do generate your own, new set of keys, then you'll need to make sure the permissions and groups, are all correct in order to use the domain's private key located in /etc/domainkeys/ on your Plesk hosting server, say if you use phpmailer on a that same domain as well as/instead of normal mail etc.

The standard Plesk private key permissions have a numeric value of 440. The easiest way to check / change via CLI is via: chown | chgrp | setfacl | getfacl

As an example, here's a new DKIM private key, when viewed via getfacl - sanitised for posting on here, so my-domain.com / default / addname are used

/etc/domainkeys/my-domain.com# getfacl default
# file: default
# owner: root
# group: popuser
user::r--
group::r--
group:addname:r--
mask::r--
other::---

Or when viewed via # ls -la

-r--r-----+ 1 root popuser 1674 Sep 29 16:12 default

With the + showing there are additional groups (one in this case - that was needed for phpmailer) but still showing: root | popuser still being the default Plesk assigned values

 

[Abdelkarim Mateos]

Well..

1. DNS is active in server
2. DKIM is active for domain (Use DKIM spam protection system to sign outgoing email messages checked)
3. Plesk create on zone of domain 2 records for mydomin.any (Register of zone below simulated)
4. Add this 2 records to my external DNS (delegated)
5. Check that DKIM is almos valid structure. (below)
6. Send email and check headers --> ERROR --> DKIM Signature Body Hash Verified-> Body Hash Did Not Verify
   

default._domainkey.mydomin.any.    TXT    v=DKIM1; p=MIGfMA0GCSqGSIbXXXXXXXXXXXXXXXXXXXXXYs+Vd4TNBSp475e/HduoUHunOjyXWJZZlkumYqhD+5JRd3zEbOoPbvGJdpJMOMoJTqkSkbvU57HlQBNEJoeSAfRmIY7EYot38ASFaub6Cl8ed+Zeo1JzvKs/Fd0k+45TN/Fnf6G25lq2LPlxrwIDAQAB;
_domainkey.mydomin.any.    TXT    o=-

nslookup -q=TXT default._domainkey.shopmanagertool.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
default._domainkey.mydomin.any  text = "v=DKIM1;p=MIGfMA0GCSqGSIbXXXXXXXXXXXXXXXXXXXXXYs+Vd4TNBSp475e/HduoUHunOjyXWJZZlkumYqhD+5JRd3zEbOoPbvGJdpJMOMoJTqkSkbvU57HlQBNEJoeSAfRmIY7EYot38ASFaub6Cl8ed+Zeo1JzvKs/Fd0k+45TN/Fnf6G25lq2LPlxrwIDAQAB;"

Authoritative answers can be found from:

Delivered-To: [email protected]
Received: by 2002:adf:b34a:0:0:0:0:0 with SMTP id k10csp4610703wrd;
        Tue, 3 Nov 2020 04:31:12 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwf93ANn4YU6p1U5lYU29Bqk4txCKuGYeFUQN1kRRFzfi6xyW03Iph7tH6iSxx6+OO6Yhyt
X-Received: by 2002:a17:906:b292:: with SMTP id q18mr669353ejz.93.1604406672418;
        Tue, 03 Nov 2020 04:31:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1604406672; cv=none;
        d=google.com; s=arc-20160816;
        b=u+QgJdRf6rPx1aZiXismPFQPubSR9/l+JcAK2wW8Lf6Br8+dn+LJx24sPa1wEGpSNP
         LZeCWEq8Qi1U8Ew2tLL5WqCjSgQ5iCC9wubqmpABp3QYW/22o2ZqpFPLpLgL7wxO5/9v
         Cbj3WqzVv/xYeodoUbjtRTFz0VCYIMdz7iOXcii95WJ3n3lXizQSzGAaZWrwDkmcK7Df
         WIECFeVbWK7YryIkWey5LDdhcVQU8Z9hMy7SPC/9KCUWZZ7DlGkzzLWucVjPBmfBNOWJ
         9vu86bpztyUGcqOOYogD7Ktxy7XuprGEfMiw32D6i6LBzWolvgZU2XbeGWyl1a9To2pw
         1ALw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:message-id:user-agent:subject:to:from
         :date:mime-version:dkim-signature;
        bh=KOpGlzcvS9PnR4VxBTPx+bZrBLp+HTdS8+PxsY+XVeg=;
        b=N52SXfmx7OL3Vv3TyPsmaz6rJBh71XsfQPpY4TZxhAjAhJCHhfMVz2/yNkRhuTbIQm
         4zOKPvaJsK50tyt9Bwn0G8G7bovaEolbh1qH7llpzepBdo/rMi0c7n7Bu55j+Yxot/Cq
         w/4Bt44WnEaDWWZh4VpMeirNjUOf9wpY+6+2OvqAtqc8A+dbEharc1S+AI4hCQCkHO4a
         1H4F7c3OmTbA2tN0MoDFmbLubwspIpRZKVch9zQFM6D7M5a4wNkrhVL3AkoelqK4RuuI
         b8pBSvzedN7f8kOWyBNyZYwi6392IE6i+eFCs69PUpOgSIucHeEwyR8u90K9CqH27lJS
         rflg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=default header.b=puCDPx8s;
       spf=pass (google.com: domain of [email protected] designates 137.74.66.66 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from aesa.tiendaslistas.com (ip66.ip-137-74-66.eu. [137.74.66.66])
        by mx.google.com with ESMTPS id rh9si14349216ejb.71.2020.11.03.04.31.12
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 03 Nov 2020 04:31:12 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 137.74.66.66 as permitted sender) client-ip=137.74.66.66;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=default header.b=puCDPx8s;
       spf=pass (google.com: domain of [email protected] designates 137.74.66.66 as permitted sender) [email protected]
Received: from webmail.shopmanagertool.com (localhost.localdomain [127.0.0.1]) by aesa.tiendaslistas.com (Postfix) with ESMTPSA id D4BFF804BE23 for <[email protected]>; Tue,
  3 Nov 2020 12:31:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shopmanagertool.com; s=default; t=1604406671; bh=KOpGlzcvS9PnR4VxBTPx+bZrBLp+HTdS8+PxsY+XVeg=; h=From:To:Subject; b=puCDPx8spmu4kObncci2bv+iGultvYhf1aGRqoWQFTteRzPB8LZa+MUwV5etKGTnA
     xnPx5J2P+K3Kk8jruuTBX1EJnHplf3CVN5runCYVykEuKy3KzFr5fTovQcFKUa5RYD
     zEK/6yFrCu/6fjqmz0g3vkLp8/GVpuVnbciSmAjg=
Authentication-Results: aesa.tiendaslistas.com;
        spf=pass (sender IP is 127.0.0.1) [email protected] smtp.helo=webmail.shopmanagertool.com
Received-SPF: pass (aesa.tiendaslistas.com: connection is authenticated)
MIME-Version: 1.0
Date: Tue, 03 Nov 2020 13:31:11 +0100
From: [email protected]
To: [email protected]
Subject: Pruebas de DKIM
User-Agent: Roundcube Webmail/1.4.8
Message-ID: <[email protected]>
X-Sender: [email protected]
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit

 

[learning_curve]

Well..

1. DNS is active in server
2. DKIM is active for domain (Use DKIM spam protection system to sign outgoing email messages checked)
3. Plesk create on zone of domain 2 records for mydomin.any (Register of zone below simulated)
4. Add this 2 records to my external DNS (delegated)
5. Check that DKIM is almos valid structure. (below)
6. Send email and check headers --> ERROR --> DKIM Signature Body Hash Verified-> Body Hash Did Not Verify
   

I am sure that I will have misunderstood some of your post, but you have already said that English that is not your 1st language, so let's try... I think you mean:

1) Plesk DNS is switched "ON", on the server that you are using to host Plesk - NOT "OFF" as shown in the 2nd pic that I attached to my 1st post above
AND
for ALL domians (Y or N?)

2) DKIM is switched "ON" (as per the first pic that I attached to my 1st post above) on the server that you are using to host Plesk
AND it is active on the mydomin.any (Y or N?)

3) Plesk DNS has created the default._domainkey.mydomin.any txt record (the public key) and you can see that within the Plesk DNS (Y or N?)

4) You have copied the public key to your own external DNS setup (Y or N?)

5) You have checked that the public key is visible via: nslookup -q=TXT default._domainkey.shopmanagertool.com AND it is - via that check method (Y or N?)

6) You have then sent an e-mail and the header looks fine - at first glance:

Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=default header.b=puCDPx8s;

BUT
When you then tested the e-mail header via Email Header Analyzer, RFC822 Parser - MxToolbox but you saw a body hash failure (Y or N?)

A) I am assuming that the answer will be Y (?) to all of the above ^^ so if that is the case, these would be the next questions:

B) Which DNS are you actually using for mydomin.any?
C) You NORMALLY... would use Plesk DNS OR your own External DNS - NOT both. Did you want to use just ONE of these two choices for this domain?
D) If you DO want to use BOTH, you can, but you have to use a Master / Slave DNS setup (which is different process / unconnected to your DKIM query)

If you can answer those questions first ^^ then we can proceed further!

 

[learning_curve]

@Abdelkarim Mateos In addition, meantime, can you also run an e-mail test here: DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com and post the results of the DKIM test part?

EDIT:

AND
check and verify all of the DKIM section on this page against your own too:

Best practices for sending outgoing mail from a Plesk server

Applicable to: Plesk for Linux Plesk for Windows Question How to set up a mail server in Plesk to successfully send emails to external mail services? Outgoing emails sent from a Plesk server to...

support.plesk.com

 

[Abdelkarim Mateos]

Hi

1) Plesk DNS is switched "ON", on the server that you are using to host Plesk - NOT "OFF" as shown in the 2nd pic that I attached to my 1st post above
AND for ALL domians (Y or N?)

Plesk is switched ON on server. I apologize for pic... Correct way is Switched ON. In any case, if it is OFF, the zones do not exist, nor does the DKIM signature exist in its corresponding directory.

2) DKIM is switched "ON" (as per the first pic that I attached to my 1st post above) on the server that you are using to host Plesk
AND it is active on the mydomin.any (Y or N?)

2. Yes.

3) Plesk DNS has created the default._domainkey.mydomin.any txt record (the public key) and you can see that within the Plesk DNS (Y or N?)

3. Yes

4) You have copied the public key to your own external DNS setup (Y or N?)

4. Yes. I put on my replies.

dig +short TXT default._domainkey.shopmanagertool.com.
"v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJp4VIdCJRhJ7JpQzzYOBoBUheYs+Vd4TNBSp475e/HduoUHunOjyXWJZZlkumYqhD+5JRd3zEbOoPbvGJdpJMOMoJTqkSkbvU57HlQBNEJoeSAfRmIY7EYot38ASFaub6Cl8ed+Zeo1JzvKs/Fd0k+45TN/Fnf6G25lq2LPlxrwIDAQAB;"

5. You have checked that the public key is visible via: nslookup -q=TXT default._domainkey.shopmanagertool.com AND it is - via that check method (Y or N?)

My reply.

nslookup -q=TXT default._domainkey.shopmanagertool.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
default._domainkey.shopmanagertool.com text = "v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJp4VIdCJRhJ7JpQzzYOBoBUheYs+Vd4TNBSp475e/HduoUHunOjyXWJZZlkumYqhD+5JRd3zEbOoPbvGJdpJMOMoJTqkSkbvU57HlQBNEJoeSAfRmIY7EYot38ASFaub6Cl8ed+Zeo1JzvKs/Fd0k+45TN/Fnf6G25lq2LPlxrwIDAQAB;"

Authoritative answers can be found from:

6) You have then sent an e-mail and the header looks fine - at first glance:

Yes. Test DKIM passed.

On my reply are de answer: Send email and check headers --> ERROR --> DKIM Signature Body Hash Verified-> Body Hash Did Not Verify

But now send email not show any problem. And check DKIM is correct in all test.

Thanks for your help.

Best regrads.