Forwarded to devs DKIM signing records/instructions are outdated

[pleskuser67553]

Username:

TITLE

DKIM signing records/instructions are outdated

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian Version 18.0.63 Update #3, AlmaLinux 9.2, AMD

PROBLEM DESCRIPTION

DNS records created by Plesk, and signing instructions for external DNS contain a record DomainKey Root Outbound Signing Policy o=- which was part of a draft, but did not make it to the standard.

_domainkey.example.com. IN TXT "o=-"

See also DKIM, SPF, and DMARC Protection and ARC Support

STEPS TO REPRODUCE

1. Navigate to Tools & Settings > Mail Server Settings
2. Under DKIM spam protection check Allow signing outgoing mail if not already
3. Navigate to any domain in Plesk
4. Click on Mail > Mail Settings
5. Check Use DKIM spam protection system to sign outgoing email messages if not already and click Apply
6. Click How to configure external DNS to reveal the popup info
7. Observe the instruction to include the draft policy record _domainkey.example.com. IN TXT "o=-"
8. Navigate back to the domain
9. Click on Hosting & DNS > DNS
10. Click Enable if not already
11. Observe the generated draft policy record _domainkey.example.com. TXT o=-

ACTUAL RESULT

As described above, the draft policy record is included

EXPECTED RESULT

As described above, the draft policy record should not be included. The docs should also be updated.

ANY ADDITIONAL INFORMATION

Please consider making it easier and more obvious to retrieve the domainkey for configuring external DNS. For example, not behind a popup link, and instead retrievable with a single click on the visible record or button which copies the TXT value to clipboard. Also, perhaps a button to copy a BIND formatted version to clipboard including quoted string breaks at each 255 character count for really long keys.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Sebahat.hadzhi]

@pleskuser67553 thank you for your report. We appreciate that you brought our attention to the issue. We investigated it and we were able to confirm that the DKIM signing policy entry is indeed obsolete. The behavior is confirmed as a bug with ID PPP-66197. A fix for the issue will be introduced in Plesk 18.0.64, which is scheduled for release in the middle of the month. You may observe our Change log here.

 

[Sebahat.hadzhi]

Please consider making it easier and more obvious to retrieve the domainkey for configuring external DNS. For example, not behind a popup link, and instead retrievable with a single click on the visible record or button which copies the TXT value to clipboard. Also, perhaps a button to copy a BIND formatted version to clipboard including quoted string breaks at each 255 character count for really long keys.

From Plesk 18.0.65 you are able to copy the DNS records values shown in the “How to configure external DNS” pop-up window with a click. Thank you for your suggestion.

 

[pleskuser67553]

From Plesk 18.0.65 you are able to copy the DNS records values shown in the “How to configure external DNS” pop-up window with a click. Thank you for your suggestion.

Thank you. It's a good start, but mostly not useful. The copy button stores the record in BIND format. Since Plesk Obsidian 18.0.55 the default is 2048-bit DKIM keys which produces strings too long for the TXT record limit of 255 characters. So after clicking the copy button it's still necessary to manually split the string with extra double-quotes for BIND format.

How to correctly split a DKIM txt dns entry?

many questions here on spliting DKIM txt records, but my dns provider only allows 255 chars for each key. no fancy way to enter multiple values like the other platforms mentioned all the other ques...

serverfault.com

For example:

default._domainkey.example.com. IN TXT "v=DKIM1; p=hCwpv5LDNVn6UxYdGKNgHMAoj2tZb5bDLSC3cCKBr3cc9o8Dt57fvxnbUVTKRaomG9eU6/THHPmCe23T6QXhUekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9x/sSFsa7JhCwpv5LDNVn6UxYdGKNgHMAoj2tZb5bDLSC3cCK/r3cc9o8Dt57fvxnbUVTKRaomG/eU6pTHHPmCe23T6QXhUekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9xqsSFsa7JhCwpv/LDNVn6UxYdGKNgHMAoj2tZ/5bDLSC3cCKBr3cc9o8Dt57fvxnbUVTKRaomG9eU6pTHHPmCe23T6QX/Uekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9xqsSFsa7JhCwpv5LD;"

Could become:

default._domainkey.example.com. IN TXT "v=DKIM1; p=hCwpv5LDNVn6UxYdGKNgHMAoj2tZb5bDLSC3cCKBr3cc9o8Dt57fvxnbUVTKRaomG9eU6/THHPmCe23T6QXhUekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9x/sSFsa7JhCwpv5LDNVn" "6UxYdGKNgHMAoj2tZb5bDLSC3cCK/r3cc9o8Dt57fvxnbUVTKRaomG/eU6pTHHPmCe23T6QXhUekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9xqsSFsa7JhCwpv/LDNVn6UxYdGKNgHMAoj2tZ/5bDL" "SC3cCKBr3cc9o8Dt57fvxnbUVTKRaomG9eU6pTHHPmCe23T6QX/Uekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9xqsSFsa7JhCwpv5LD;"

Please can you update this feature to automatically split long strings with extra double-quotes for a BIND format copy.

Please also add a feature to copy just the name and value individually. For this copy method, I believe most external DNS providers with an input UI are expecting the value as a single string as they handle the splitting after entry.

For example, the above name copied:

default._domainkey.example.com

And the above complete value copied without double-quotes

v=DKIM1; p=hCwpv5LDNVn6UxYdGKNgHMAoj2tZb5bDLSC3cCKBr3cc9o8Dt57fvxnbUVTKRaomG9eU6/THHPmCe23T6QXhUekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9x/sSFsa7JhCwpv5LDNVn6UxYdGKNgHMAoj2tZb5bDLSC3cCK/r3cc9o8Dt57fvxnbUVTKRaomG/eU6pTHHPmCe23T6QXhUekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9xqsSFsa7JhCwpv/LDNVn6UxYdGKNgHMAoj2tZ/5bDLSC3cCKBr3cc9o8Dt57fvxnbUVTKRaomG9eU6pTHHPmCe23T6QX/Uekf89b4uwYpmfHtwr2VhLTKiRfzBtpCse9xqsSFsa7JhCwpv5LD;

Also, I believe this part is not required so should be removed:

_domainkey.example.com. IN TXT "o=-"

 

[Kaspar]

Please can you update this feature to automatically split long strings with extra double-quotes for a BIND format copy.

I don't think that's a good idea. At least not as a replacement for the full DKIM sting.

All of larger DNS server software vendors (BIND and PowerDNS for example) support key values larger than 255 chars on their recent versions. Most of the large DNS providers do too. Having a (DNS) provider who does not support larger key values is a bit of an anomaly.

Although admittedly splitting the DKIM values manually is a tedious task. Maybe the DKIM value can be shown splitted along side the full value.

 

[pleskuser67553]

Maybe the DKIM value can be shown splitted along side the full value.

Agreed. That is what I was trying to convey with the latter part of my post, i.e.:

Please also add a feature to copy just the name and value individually. For this copy method, I believe most external DNS providers with an input UI are expecting the value as a single string as they handle the splitting after entry.

 

[Sebahat.hadzhi]

Also, I believe this part is not required so should be removed:

_domainkey.example.com. IN TXT "o=-"

The obsolete signing policy recommendation will be removed. There is a separate bug ID for it - PPPM-14594.

I discussed the possibility of splitting the DKIM record value from the name value and, unfortunately, at this point, we cannot incorporate such an option to the panel interface. The same goes for the DKIM sting itself.