@Dave_G,
It seems to be necessary that I explain a little bit about DNS and the possibility to use DKIM.
First, let´s have a look at DKIM and the solution you (essentially) offered to your customer.
There are, in essence, two keys: the private and the public key.
The private key should be on the mail server side and is used to sign mails. Not every signing mail server can or will support 2048 bits keys, the signers are simply not obliged to.
The public key should be in DNS in the form of a TXT record, with the key being in the range of 512 bits to 2048 bits. This is an obligation for verifiers.
Verifiers MAY be able to verify keys of a larger bit size and MUST ignore any signatures using algorithms the verifier does not implement.
The above implies that there are many reasons why a DKIM signature will not work in practice: the verifier and signer have to be "aligned" and that is not always the case.
Furthermore, the algorithms supported (i.e. preferred) by the official guidelines are rsa-sha1 and rsa-sha256.
The hash MUST NOT be truncated or converted into any form other than the native binary form before being signed.
Your work-around fails to satisfy the above requirement: as a result,
your signature will be ignored by any verifier.
In conclusion, you have offered your customer a solution that will not work.
Naturally, I can understand your desire to serve the customers requests and for that reason, you must be aware that your solution is void.
In the length of before mentioned desire, I wanted to help you identify a solution that actually can or does work. So let´s proceed.
Second, let´s have a look at DNS and a working solution that you can offer to your client.
We have to work with the fact that your customer works with the rather impractical 2048 bits key.
Normally, you should be able to convince the customer that a 1024 bit key is just as good, but let´s continue with the 2048 bits key.
In essence, Plesk does not allow that 2048 bit key (simply stated), but that
is not a problem at all.
After all,
domain name resolving is working the following way: a domain name is registered at the domain registrar.
In order to resolve the domain to an IP, the domain registrar maintains it´s own vast and solid network of nameservers, assigning domain names to IPs.
For that reason, almost every domain registrar has a DNS management panel, allowing the domain name holders to manage DNS directly.
Then, you have two options to resolve the domain to a "hosting space" in one of your servers:
a) managing DNS directly via the domain registrar: this is the most practical, flexible and reliable method,
OR
b) adding nameserver records to the domain registrar´s system, with those nameserver records pointing to a Plesk instance: in essence, this results in a domain request being
- served by the domain registrar´s nameserver system, in the sense that the request is directly passed on to the nameservers on the Plesk instance,
- served by the nameservers of the Plesk instance, which nameservers resolve the domain internally (or externally if the nameservers also manages domains on external servers)
and you can see by now that this method involves multiple passes, with some minor penalty on domain resolving performance.
It must be clear by now that you do not actually need the nameservers of Plesk.
It must also be clear that you can always add one record for a specific domain to the DNS management system of the domain registrar, alongside of the nameserver entries.
In essence, adding a TXT record with the appropriate DKIM values is always possible at the domain registrar´s system.
The reason for stating the above is simply the fact that all domain registrars are obliged to allow larger values in the DNS records and most domain registrars have implemented that.
In short, if your domain registrar´s DNS system allows adding huge DNS record values, simply add the DKIM value at the level of the domain registrar.
It is a
simple and
working solution that actually helps
you and your client.
Why does it help you too?
Simply stated, consider your client discovering in the near future that it´s 2048 bits DKIM key does not work and that, for instance, spamming on behalf of the client´s mail server has resulted in extensive blacklisting on DNSBL blacklist, whilst being under the impression that you, as the hosting provider, did offer a working solution.
I certainly would not want to await that situation, in which a very likely conflict between you and the client can exist.
In conclusion, you should try a different solution, if you really want to serve the client´s best interests.
Note that I write all of the above with the best intentions, it is up to you to decide what to do.
Regards....