Email goes in to spam (old story)

[seqoi]

Spent few days i am out of ideas. Not sure what am i doing wrong. All emails i sent goes into spam (gmail, yahoo, outlook)

I am sending screenshot of my dns zone (domain is pointed to cloudns and works wonderfully everything works jsut this email thing)..

I added keys in to my DNS zone at cloudns.net, added private key into etc/domainkeys/mydomain.com/default

DKIM is pass. From what i understand i should just ignore Domaincheck being neutral as DKIM is what is most important right?

When checking this is the result i am getting (my actual domain is replaced with "mydomainishere"):

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mydomainishere
Source IP:      xxx.xxx.212.27
mail-from:      info@mydomainishere

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mailfrom=info@mydomainishere
DNS record(s):
    mydomainishere. SPF (no records)
    mydomainishere. 3600 IN TXT "v=spf1 +all"

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=info@mydomainishere
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: info@mydomainishere)
ID(s) verified: header.d=mydomainishere
Canonicalized Headers:
    from:info@mydomainishere'0D''0A'
    to:[email protected]'0D''0A'
    subject:g'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=mydomainishere;'20's=default;'20't=1489666532;'20'bh=Xtvwt7Cb0W352Oz91uI6OPSbAdpWr71PAW0aGQhUBh0=;'20'l=3;'20'h=From:To:Subject;'20'b=

Canonicalized Body:
    g'0D''0A'

Could it be because of missing SPF records?

here is my zone screenshot maybe some key is invalid?



note i found this thread: https://www.unixhops.com/install-dkim-and-dmarc-on-plesk-12-5/ but on my server DKIM is pass so i am assuming i don't need to follow that tutorial..

 

[UFHH01]

Hi seqoi,

Spent few days i am out of ideas. Not sure what am i doing wrong. All emails i sent goes into spam (gmail, yahoo, outlook)

Did you consider to inspect the mail headers from your eMails, declared as spam?

Consider as well to use the FORUM search, to inform yourself about decent SPF - entries.

 

[seqoi]

Thanks for advice i will look into mail headers. Any tip what to look for? How do i know why is email declared as spam?

Do you agree that if DKIM is pass i should not worry about it then?

Will look for decent SPF thanks.

 

[seqoi]

Ok you provided me good catch. Google header actually show me DKIM FAIL with domain NULL...

 

[seqoi]

Hi there! Some guidance needed. I still refused to follow tutorial i mentioned because i don't want to mess something. Tutorial is for plesk 12.5 and i have onyx 17. With that being said.

Plesk Onyx 17, CentOS 7.3.

Postfix, Dovecot

Simple question - where exactly on server configuration do i add my DKIM RSA private key ??

edit: i have three domains hosted on server. I am assuming each domain should host specific key in specific folder?

 

[UFHH01]

Hi seqoi,

Simple question - where exactly on server configuration do i add my DKIM RSA private key ??

this depends on your unique server and package installation. If you follow the above mentioned article, you will add a second DKIM - signing, while the Plesk implemented DKIM - signing feature is already included in Plesk Onyx ( and YES, it is "DKIM" on Plesk Onyx and not "DomainKeys" ).

The needed DKIM - key from Plesk ( separator "default" ) is added in your DNS - settings for the specific domain ( => HOME > Subsciptions > YOUR-DOMAIN.COM > DNS Settings ) and stored in the psa - database.

 

[seqoi]

UFHH01 Before s start let me tell you i am honestly VERY grateful for you spending your valuable time with my rookie issues. Thank you for that.

I did not wanted to waste anyone times so I read ton of articles and found similar but not the same things like this thread (https://talk.plesk.com/threads/dkim-domainkey-with-external-dns.339868/)

My apology for me (again) not being clear right from start. I do not use Plesk DNS like OP from linked thread. I use cloudns.net for my DNS administration and in plesk i switched DNS off by following official plesk documentation. Everything works super smooth apart from DKIM.

So do you think i should enable Plesk DNS for particular domain on my server (but i don't see a point).

In this article https://docs.plesk.com/en-US/onyx/a...am-tools/dkim-spf-and-dmarc-protection.59433/ by reading plesk article and especially that in red color

"Important: If you use an external DNS service, DKIM signing will work for outgoing messages, but the receiving mail server will not be able to validate these messages. As a workaround, you can switch off Plesk DNS server and add a corresponding DKIM-related DNS record on the external DNS service. In this case, the receiving server will be able to validate the messages."

It does appear to me i can continue to use my external DNS service at cloudns.net. Like i said i set up everything properly and i see in test email that key is "passing" in email but i never was able to find a place where do i actually need to add my private RSA key.

? Any potential clue?

As i understand it Plesk Onyx users do not need to install opendkim service and configure it as mentioned in this thread: https://www.unixhops.com/install-dkim-and-dmarc-on-plesk-12-5/

I believe i am at point where i set up everything just correctly but no one ever mentioned where do i add RSA key on my server?

 

[UFHH01]

Hi seqoi,

My apology for me (again) not being clear right from start. I do not use Plesk DNS like OP from linked thread. I use cloudns.net for my DNS administration and in plesk i switched DNS off by following official plesk documentation. Everything works super smooth apart from DKIM.

I can't see any decent reason, why things should be complicated. Just turn ON again the local DNS service and use the provided DKIM - keys from specific DNS - settings of your domain(s). In order to profit from the DMARC - feature, you need it anyway turned ON. You are still able to use the external DNS - service, but you have the advantage to see all needed DNS - entries over the Plesk Control Panel and can copy them to your external DNS - service.

It is far more complicated, to get the DKIM - keys from your psa - database and install a SECOND DKIM - signing - hook and I can't see any advantage in it for you, to have a second instance on your server.

 

[seqoi]

I can't see any decent reason, why things should be complicated. Just turn ON again the local DNS service and use the provided DKIM - keys from specific DNS - settings of your domain(s). In order to profit from the DMARC - feature, you need it anyway turned ON. You are still able to use the external DNS - service, but you have the advantage to see all needed DNS - entries over the Plesk Control Panel and can copy them to your external DNS - service.

No problem i just did and you are right. Having both i mean copying from one to another isn't anything difficult and there is DMARC like you said.

It is far more complicated, to get the DKIM - keys from your psa - database and install a SECOND DKIM - signing - hook and I can't see any advantage in it for you, to have a second instance on your server.

This part of message i really couldn't understand. What second instance?

Are you suggesting me that my RSA key is very complicated to add somewhere on my server? Why database and what database? I generated my keys here http://dkimcore.org/tools/ and public keys are added in right place. I just simply can't figure out where do i add my private rsa key at server level.

When i am reading this tutorial https://www.unixhops.com/install-dkim-and-dmarc-on-plesk-12-5/ it is perfectly clear to me where and how he do things but like i said i don't have 12.5 and i am in fear if i use opendkim as guy in tutorial it might screw things and interfere with Plesk Onyx features - which is why i simply want to figure out where do i add rsa private key for signing ?...

 

[seqoi]

Do i have to add private key in my NS zone as well?

 

[UFHH01]

Hi seqoi,

This part of message i really couldn't understand. What second instance?

the first instance will be the standart ( Plesk ), while you manually add a second instance, manually installed on your server, manually integrated into postfix.

Are you suggesting me that my RSA key is very complicated to add somewhere on my server?

No, it is not complicated, but Plesk handles the "default" DKIM - signing in a different way, than your manual installed version. Plesk uses the hook over it's own service "psa-pc-remote", pass it over to it's "spf" - handler, passes the result back to "psa-pc-remote" which then pass it over to the "dd51-domainkeys" handler, which again returns it to the "psa-pc-remote" handler, to finally pass it over to postfix.

Why database and what database?

... because Plesk stores the informations in it's PSA - database.

I generated my keys here http://dkimcore.org/tools/ and public keys are added in right place. I just simply can't figure out where do i add my private rsa key at server level.

Total different point here and a total different installation. You have to insert the additional "mail" - DKIM - key at your external DNS - service and you need to integrate the manual installed milter into your postfix configuration. Pls. keep in mind that the separator "DEFAULT" is not equal with separator "MAIL".
But again... you don't really need this additional installation procedure at all and you don't need an additional DKIM - separator "mail" - you use Plesk Onyx and it's very well integrated, even with the option ti use DMARC as well.

Do i have to add private key in my NS zone as well?

No.

 

[seqoi]

Ok thanks. Without wasting anymore of your time can you maybe point me to a specific resource/link on about configuring and making dkim key (now when you know what i did) work. Because i think i did everything ok when it comes to DNS zone editing but i did not touched milter.

Any link from your memory will be greatly appreciated and i am willing to learn and read through it.

 

[UFHH01]

Hi seqoi,

a link which I could recommend is => https://matoski.com/article/spf-dk-dkim-plesk-debian/
Even that this blog article was written for Plesk 11.5, the complete process is still valid - just ignore, that with Plesk Onyx, DomainKeys has been replaced with DKIM now and don't switch off the Plesk DNS server, so you might profit from DMARC - usage as well. Copy ALL your DNS - entries from Plesk to your preferred DNS - service and you will be fine and should not experience any issues.


If you still experience issues/errors/problems, it is essential, that you provide the corresponding mail.log, the screenshots from your depending DNS - settings over Plesk, the screenshots from your desired external DNS - service for the corresponding domain(s) ( = better will be no anonymity of the domains, because people willing to help you can then investigate possible DNS - issues on their own! ) and last the configuration files from you manual opendkim installation.

 

[seqoi]

Thank you. I am new to this forum i pressed "like" and "best answer" and if there is some thank you button (i don't see it) let me know.

You helped me a lot. I wish you nice day.

Kind regards

 

[seqoi]

Hi there! I solved my problems with success. The reason why i am writing here is so other can find and solve their problems. Before i start i want to say again thank you UFHH01 for all your contributions!

One important thing. This tutorial is much much less complicated then https://matoski.com/article/spf-dk-dkim-plesk-debian/ and if one is using Plesk Onyx whole process is actually VERY easy to do and i found answer within my own investigation. I think that problem here is that UFHH01 is VERY experienced Plesk user and his point of view maybe can be much more complicated and therefore not applicable for rookies like me. On top of that i was under impression that i can solve my problems way more easier then what he and other tutorials where suggesting, i believed i was on track and it turned to be true for this particular case.

So no - you don't need to follow tutorials i mentioned, you do not need to install OpenDKIM or alter any milter inside Postfix (assuming you are using default Plesk configuration) - you can do all within Plesk graphical interface and you will need to edit one file via SSH.

Note - i created my keys here: http://dkimcore.org/tools/

So log in to your plesk and go Tools and Settings - Mail Server Settings and enable DKIM and make everything like on screenshot



Now go to your Plesk Websites and Domains and select your domain and there you press on Mail settings




from here you make sure you select "Use DKIM Spam protection...." as on screenshot



As soon as you apply this change (use DKIM spam protection....) new directory will be created in your etc/ folder on server. Directory is called "domainkeys" and inside of it there will be name of your domain. Go inside and there is a file in which you need to add your key (something i asked in my initial issues but UHFF01 did not understand what i am asking and i was not being completely clear about my issues. So yes THIS IS THE PLACE WHERE YOU ADD YOUR PRIVATE KEY weeeeee

so there you have etc/domainkeys/yourdomainexample.com/default - default is file where you need to add your private RSA key. Simply copy paste your key here. That's it.

Now we also need to add proper keys in our DNS zone. I am going to put screenshots of my Plesk DNS zone and my external DNS service. My domain IP and domain name is blurred and keys are blurred but the point of this is to understand where to add what. Why i have both ? Because that's what UHFF01 suggested and it's working for me

VERY IMPORTANT - when generating keys at http://dkimcore.org/tools/ you can copy and paste your tinydns format key but MAKE SURE you remove TTL value at the end of the key 3600 otherwise it wont work. Example:

v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAakaGKDJFJdshjfhfBGJDJGDGJKdjdtA6AW/Z6azPY9346465465675Pc2YwPeML++1nNXRmvqq+JHuYfn1464564567jLEp1MnG/FUpWugKRaM/M7Wgm+bkXpE6OMW0OLbr1rWW2OpAYDisxivQcxWyC4564565465h0oLOjBlQIDAQAB:3600::

you need to remove ":3600:: so your keys will look like

v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAakaGKDJFJdshjfhfBGJDJGDGJKdjdtA6AW/Z6azPY9346465465675Pc2YwPeML++1nNXRmvqq+JHuYfn1464564567jLEp1MnG/FUpWugKRaM/M7Wgm+bkXpE6OMW0OLbr1rWW2OpAYDisxivQcxWyC4564565465h0oLOjBlQIDAQAB

Otherwise it won't work

DNS screenshot




DNS in Plesk




And that's it - that's working for me. No outside tutorials, no new services installation just pure Plesk Onyx. All emails now arrive in gmail, yahoo etc. in inbox and Gmail header inspection is saying DKIM is correct and is a PASS with my domain name.

I am VERY happy and every and each day i am more and more amazed with Plesk

UHFF01 - if there is anything to add here feel free.

I hope this will help someone solving same problem i just got solved.

 

[Edmund.T]

As soon as you apply this change (use DKIM spam protection....) new directory will be created in your etc/ folder on server. Directory is called "domainkeys" and inside of it there will be name of your domain. Go inside and there is a file in which you need to add your key (something i asked in my initial issues but UHFF01 did not understand what i am asking and i was not being completely clear about my issues. So yes THIS IS THE PLACE WHERE YOU ADD YOUR PRIVATE KEY weeeeee

Hi,

I also been trying to solve this problem for DAYS already.. Im glade I saw your post.

Btw by your above quote This Is the place where you add your private key, can you explain further ?

Do you mean the Private Key generated by dkimcore.org?

Do you mind to show me how?

 

[Edmund.T]

I also saw under your mail settings

Yours Show DKIM spam protection system to sign outgoing email, minne show DomainKeys spam protection system to sign outgoing email .. Im using 12.5 , does it mean I need to upgrade?

 

[seqoi]

I also saw under your mail settings

Yours Show DKIM spam protection system to sign outgoing email, minne show DomainKeys spam protection system to sign outgoing email .. Im using 12.5 , does it mean I need to upgrade?

Yes it does mean that. You need to upgrade. I m using (as stated) Onyx v17. My advice is to upgrade. If not then you can still follow tutorials i listed in initial thread. They are for version 12.5

 

[seqoi]

Hi,

I also been trying to solve this problem for DAYS already.. Im glade I saw your post.

Btw by your above quote This Is the place where you add your private key, can you explain further ?

Do you mean the Private Key generated by dkimcore.org?

Do you mind to show me how?

Yes i mean private key generated by dkimcore - how do you mean to show you how can you be more specific? I illustrated it quite clearly in my post. You simply need to add private key code in particular place i listed. Tell me if you need more help.