• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs faulty DKIM record created after customer migration

T

TomBoB

Silver Pleskian
Username:

TITLE

faulty DKIM record created after customer migration

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk 18.0.42 #1, AlmaLinux 8.5

PROBLEM DESCRIPTION

We migrated customers from one server (to be retired) to another server (new). Old server runs CentOS 7, latest. New server runs Almalinux latest. Both run latest Plesk.
Customers were migrated sometimes alone. Other nights 3 or 4 at a time.

On the receiving server, the DKIM record is created in this format [ tested and tried with : DKIM Record Lookup Tool - Free DKIM Check | dmarcian ]
v=DKIM1; p=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4G...
Click to expand...
It should be of the format
v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...
Click to expand...
Had clients contact me as their emails bounce back.

STEPS TO REPRODUCE

migrate a customer from one server to another - possibly with above mentioned specifics - and check the DKIM record that's created for the domains of those customers on the receiving server.

ACTUAL RESULT

faulty DKIM record

EXPECTED RESULT

correct DKIM record

ANY ADDITIONAL INFORMATION

disabling DKIM for the domain on the receiving server, then re-enabling it, creates a proper record. Am using that as a workaround to correct all the faulty records.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Wow, that's going back to Jan 2021, 1.5 years, and not solved yet ?!?!?

Searched for DKIM in this thread, couldn't find anything. That's why I reported it. -- Will look VERY carefully at any client and their domains that we migrated over that period.

Look here Forwarded to devs - Plesk migrator breaks DKIM records that's June 2017 !!! I'm not going back checking 5 years of customer migrations... I've just sorted it for one server we migrated recently, I'll check on 2 more from shortly before that.
Ridiculous that that isn't resolved yet...
 
I use this to list the DKIM status of the domains:

Code: 
# DNSLIST='alldnstxtzones.csv'; plesk bin domain --list | while read i; do plesk bin dns --info $i | grep default | grep TXT >> $DNSLIST; done
# cat alldnstxtzones.csv | grep "p=DKIM1"
 
Last edited:
To be honest, i couldn't even be bothered to dig much deeper... Over time we migrated customers all over the place and many different servers. Just ran a
Code: 
for domain in $(plesk db -Ne 'SELECT name FROM domains WHERE parentDomainId=0;'); do plesk bin domain_pref --update $domain -sign_outgoing_mail false; done
followed by a
Code: 
for domain in $(plesk db -Ne 'SELECT name FROM domains WHERE parentDomainId=0;'); do plesk bin domain_pref --update $domain -sign_outgoing_mail true; done
on all servers to get things in order again. Don't want to think about the impact of this on the clients emails in the past though...

The notice that you can see hints of the bug in the debug.log isn't any help in real live. I'd expect a notice in the info.log for it to catch any attention. The debug.log is only good when you are debugging; IE know there is a problem. Which with this bug, one doesn't.
 
I didn't go that far as that would generate a new public key for already signed emails that left the servers. Recipient servers use the public key published to the DKIM's domain to verify the source of the message, and that the parts of the message included in the DKIM signature haven't been changed since the message was signed.
 
I noticed that the last few migrations went correctly. No more messed up DKIM records when you migrate a subscription to another Plesk server.

Has this issue finally been fixed in Plesk Obsidian 18.0.50 Update #2? I didn't see anything mentioned in the logs on this issue.
 
we're about to migrate a major domain over to a new server. Will also keep a close eye on it. Thanks for the reminder !!
 
I did another migration, which ended up with the correct DKIM record.

@TomBoB Which Plesk and migrator version did you use?

I'm using this:
Plesk Migrator v2.24.0-1083
Plesk Obsidian 18.0.50 Update #2
 
We migrated to Almalinux 8, very latest updates, Plesk Obsidian 18.0.50 Update #2, using Migrator 2.24.0-1083. Domain was prior on another Plesk server with virtually same setup as the new server.
 
This issue is still active one year after the start of this discussion.

I fixed this by switching DKIM off and on for each domain:
Bash: 
plesk db -Ne 'SELECT name FROM domains WHERE parentDomainId=0;' > domains.txt
for domain in $(cat domains.txt); do
   plesk bin domain_pref --update $domain -sign_outgoing_mail false;
done
for domain in $(cat domains.txt); do
   plesk bin domain_pref --update $domain -sign_outgoing_mail true;
done
 
Because I host several domains for which the mail system is not hosted on my servers.
Acting globally would create incorrect DKIM records for these domains.
 
You must log in or register to reply here.

Similar threads

P
Forwarded to devs DKIM signing records/instructions are outdated
Replies
2
Views
390
Sebahat.hadzhi
Sebahat.hadzhi
T
Migrator doesn't adjust DNS properly (certain conditions)
Replies
6
Views
894
TomBoB
T
QWeb Ric
Issue Wrong DKIM signature after migration
Replies
2
Views
660
QWeb Ric
QWeb Ric
C
Issue DKIM and SPF do not align with RFC5322. Then DMARC result is fail.
Replies
2
Views
2K
cmartinez127
C
Kulturmensch
Resolved DKIM fails
Replies
4
Views
2K
Kulturmensch
Kulturmensch
Back
Top