Resolved Incoming email DKIM issue

ilogus · Mar 17, 2025

Hello, I'm opening this post to try to find some answers concerning the reception of emails under plesk.

Several of my plesk servers are unable to verify the DKIM signature of incoming email.

I have the issue under Plesk Obsidian 18.0.67 Web Pro Edition or Plesk Obsidian 18.0.68 Web Host Edition.

here's what I can see in the logs:

Code:

Mar 16 13:11:16 web1 dk_check[485674]: 349A71780735: DKIM verification (d=paypal.fr, 2048-bit key) failed: signature verification failed
Mar 16 14:15:12 web1 dk_check[490028]: ACC0817805DE: DKIM verification (d=mail.goodstack.org, 2048-bit key) failed: signature verification failed
Mar 16 15:08:53 web1 dk_check[491369]: B4D76178008E: DKIM verification (d=sandtediaoda.top, 1024-bit key) failed: signature verification failed
Mar 16 15:29:19 web1 dk_check[492075]: 4684717805E7: DKIM verification (d=youtube.com, 2048-bit key) failed: signature verification failed
Mar 16 15:58:34 web1 dk_check[551058]: C7CBA1780299: DKIM verification (d=youtube.com, 2048-bit key) failed: signature verification failed
Mar 16 15:59:57 web1 dk_check[551175]: 763301780299: DKIM verification (d=gmail.com, 2048-bit key) failed: signature verification failed

for most emails this is not too serious, however, if the domain has a DMARC policy in reject, then plesk will delete the email...

For exemple the youtube.com domain :

So plesk will remove the email :

Code:

Mar 16 14:29:19 4684717805E7: client=mail-qk1-f199.google.com[209.85.222.199]
Mar 16 14:29:19 4684717805E7: from=<3pudwzwgldz8mn-qdokxxntstad.bnluhc9k.ptdmshmonf-fqnto.bnl@scoutcamp.bounces.google.com> to=<[email protected]>
Mar 16 14:29:19 4684717805E7: message-id=<7d37b8a6b5deb2814211823ede70f2ed1ad29565-20085735-110945236@google.com>
Mar 16 14:29:19 4684717805E7: py-limit-out: stderr: INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or unrestricted outgoing mail). SKIP message.
Mar 16 14:29:19 4684717805E7: py-limit-out: stderr: SKIP
Mar 16 14:29:19 4684717805E7: spf: stderr: PASS
Mar 16 14:29:19 4684717805E7: check-quota: stderr: SKIP
Mar 16 14:29:19 4684717805E7: from=<3PuDWZwgLDZ8MN-QDOKXXNTSTAD.BNLUHC9K.PTDMSHMONF-FQNTO.BNL@scoutcamp.bounces.google.com>, size=34162, nrcpt=1 (queue active)
Mar 16 14:29:19 4684717805E7: from=<3PuDWZwgLDZ8MN-QDOKXXNTSTAD.BNLUHC9K.PTDMSHMONF-FQNTO.BNL@scoutcamp.bounces.google.com>, to=<removed@removed>, dirname=/var/qmail/mailnames
Mar 16 14:29:19 4684717805E7: DKIM verification (d=youtube.com, 2048-bit key) failed: signature verification failed
Mar 16 14:29:19 4684717805E7: dk_check: stderr: PASS
Mar 16 14:29:19 4684717805E7: DMARC: smtpdomain=scoutcamp.bounces.google.com maildomain=youtube.com [email protected] stamp=1742135359 ip=209.85.222.199 adkim=relaxed aspf=relaxed p=REJECT sp=UNSPECIFIED pct=100 align_dkim=fail align_spf=fail spfres=pass dkimres=fail dmarccheck=DMARC_POLICY_REJECT dmarcstatus=STOP
Mar 16 14:29:19 4684717805E7: dmarc: stderr: STOP
Mar 16 14:29:19 4684717805E7: to=<removed@removed>, relay=plesk_virtual, delay=0.42, delays=0.32/0/0/0.1, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Mar 16 14:29:19 4684717805E7: removed

I tested to resolve the DKIM public key of youtube.com in SSH and it's working :

Code:

root@web1:~# dig +short TXT 20230601._domainkey.youtube.com
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmagoShYZGcUVgNinqNrNMN9z3zZQ9ryOEHaTs+o6371HPZkTGgorzpC+uUxTrILlsCRwvSKiHcWQRn37h2G+51BM2P9IF+iUVMrgq2FNI4jOFGt3iiS0HWlejXUXtfpX3R3qkxKYkEfL0nlPgfrzQxCKg7uLDnbO9tF3ePJD2q4feN0dHDYP53W828lYH24rW" "zQtdFFa5Jh43bpd2TtZTQ9o44Jk/yG9wAQJhTU3QBUDlGj1OjqcK3Pwoy87i9AhTy9GEw8q2UOJnplKO9WetzjRsGMR317RpI0IFGtDk5QN9GfiOoO9l5Sy9Y5hkUW+PIyGX8C1/nA07nFbpX7acQIDAQAB"

So i don't understand why plesk can't do it or fail when it does.

I've disabled DMARC and DKIM checking until I find a solution, but I can't stay like this much longer.

Has anyone ever had this problem? Thanks for you help.

AYamshanov · Mar 17, 2025

If Plesk can't verify the email with DKIM keys, are you sure this mail is legitimate? In your code snippet, I see 209.85.222.199. Based on https://www.abuseipdb.com/check/209.85.222.199, it does not have a good reputation.

ilogus said:
I tested to resolve the DKIM public key of youtube.com in SSH and it's working :

Have you tested/validated emails with this key? Was the test successful?

ilogus · Mar 17, 2025

Hello @AYamshanov, thanks for you reply

209.85.222.199 is a valid Google IP listed in SPF Google IP address ranges for outbound mail servers - Google Workspace Admin Help

Network Tools: DNS,IP,Email

DNS and Network troubleshooting and diagnostic tools integrated into one sweet interface.

mxtoolbox.com

AYamshanov said:
Have you tested/validated emails with this key? Was the test successful?

I just retrieved the TXT record, I didn't recalculate the DKIM on my side, I don't know if you know a tool to do that? Or by hand ?

Youtube just has a strict DMARC policy, but all incoming domains like : paypal, gmail also generate DKIM errors.

The strangest thing is that I also have the problem on other plesk servers, here are the logs from now :

Code:

Mar 17 09:15:05 prod2 dk_check[3964264]: 9B71DA1AF3: DKIM verification (d=news.raja.fr, 1024-bit key) failed: signature verification failed
Mar 17 09:16:36 prod2 dk_check[3964562]: 8622AA1AF3: DKIM verification (d=cooksonclal.onmicrosoft.com, 1024-bit key) failed: signature verification failed
Mar 17 09:16:39 prod2 dk_check[3964575]: D6123A1AF3: DKIM verification (d=cooksonclal.onmicrosoft.com, 1024-bit key) failed: signature verification failed
Mar 17 09:23:11 prod2 dk_check[3965752]: 12A54A009F: DKIM verification (d=aponem.com, 2048-bit key) failed: signature verification failed
Mar 17 09:26:04 prod2 dk_check[3966344]: 9D852A046C: DKIM verification (d=hdvba.fr, 2048-bit key) failed: signature verification failed
Mar 17 09:47:23 prod2 dk_check[3970581]: B1080A0012: DKIM verification (d=hdvba.fr, 2048-bit key) failed: signature verification failed
Mar 17 09:48:20 prod2 dk_check[3970775]: BCE75A0F0D: DKIM verification (d=hdvba.fr, 2048-bit key) failed: signature verification failed
Mar 17 09:59:02 prod2 dk_check[3979834]: 7B137A1B06: DKIM verification (d=artcurial.com, 1024-bit key) failed: signature verification failed
Mar 17 09:59:02 prod2 dk_check[3979833]: 75343A1B02: DKIM verification (d=artcurial.com, 1024-bit key) failed: signature verification failed
Mar 17 10:36:03 prod2 dk_check[3988109]: 8BD59A1A2D: DKIM verification (d=alixiomobilite.fr, 1024-bit key) failed: signature verification failed
Mar 17 10:40:02 prod2 dk_check[3988930]: 99F19A1B4A: DKIM verification (d=yellowpeacock.com, 2048-bit key) failed: signature verification failed
Mar 17 10:55:00 prod2 dk_check[3992817]: 88D63A1BF4: DKIM verification (d=orange.com, 2048-bit key) failed: signature verification failed

it seems very strange to me

ilogus · Mar 17, 2025

AYamshanov said:
are you sure this mail is legitimate?

Yes 100% sure, because my customer informed me of this problem. The email is an invitation to manage a youtube account. We could send a invitation to a @Gmail address and we could compare the headers

ilogus · 2025-03-25T01:47:05-0700

Finally, the problem was a filter that was deleting users' IP addresses. The filter applied to both outgoing and incoming emails, invalidating the DKIM signature, which was totally my fault

ps: I don't see an option to change the status to “resolved”.

Resolved Incoming email DKIM issue

ilogus

New Pleskian

AYamshanov

Golden Pleskian

ilogus

New Pleskian

Network Tools: DNS,IP,Email

ilogus

New Pleskian

ilogus

New Pleskian

Similar threads