• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved No DKIM key generated/shown when DNS component is not installed

Kaspar

API expert
Plesk Guru
Username:

TITLE


No DKIM key generated/shown when DNS component is not installed

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Any OS
Plesk 18.0.56

PROBLEM DESCRIPTION

When BIND is not installed on, or has been uninstalled from, the server, the DKIM key isn't shown and can't be generated for a domain.

STEPS TO REPRODUCE

1) Install Plesk without DNS (or uninstall the DNS component)
2) Add domain to Plesk
3) Navigate to Mail Settings for domain
4) On the mail settings page enable the "Use DKIM spam protection system to sign outgoing email messages" option.
5) Notice how no selector is shown, and when clicking "How to configure external DNS" link on the mail settings page also does not show a DKIM value.

vT7MH1Y.png


ACTUAL RESULT

No DKIM key available or shown.

EXPECTED RESULT

Either a DKIM shown (preferably) or otherwise a warning or error that indicates that the DNS component is required to generate DKIM keys.

ANY ADDITIONAL INFORMATION

(DID NOT ANSWER QUESTION)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Last edited:
Hello, I have the same issue. Even after enabling DKIM for newly created domains, there is no key visible. Also, no directory is created under "/etc/domainkeys/" for new domains. This has been the case since the second-to-last update.
 
Hello, this issue has been ongoing for a few days now.

Is there any workaround available to us until the patch is released? How can I obtain the required DKIM record?
 
Hello, this issue has been ongoing for a few days now.

Is there any workaround available to us until the patch is released? How can I obtain the required DKIM record?
A workaround would be to install the Plesk DNS component.
 
@Kaspar Thank you, but your solution would result in another problem. Since we are using an external DNS server, DKIM would be enabled by default for all newly created email accounts, even if it is not set up. This behavior was introduced in one of the recent Plesk patches.
 
@TorbHo In that case the workaround gets a bit more elaborate. What you could do is install the DNS component, after which you can setup an event in Plesk that runs a bash script with a command to disable DKIM signing for the domain again.

I think the right event for this is the "Physical hosting created" event. You can use the bash script below to be called by the event.
Bash:
#!/bin/bash
/usr/local/psa/bin/domain_pref --update ${NEW_DOMAIN_NAME} -sign_outgoing_mail false

I haven't tested this, so use with caution. But this should work I think.
 
Last edited:
Bash:
#!/bin/bash
/usr/local/psa/bin/domain_pref --update ${NEW_DOMAIN_NAME} -sign_outgoing_mail false

@Kaspar Yes, this event seems to work as a workaround. Thank you.
 
I am not sure if this is part of the issue, but so far I haven't been able to find a CLI equivalent for generating a DKIM keypair. It would be nice (read: required) to have this option, as simply disabling/enabling does not suffice.
 
a possible workaround could be:
- create a folder like the domain name unter /etc/domainkeys
- generate the dkim key with openssl command: openssl genrsa -out default 2048
to generate the dns record do:
- openssl rsa -in default -pubout -outform der 2> null | openssl base64 -A
- add in front of the string "v=dkim1; p="

make it a 3 lines bash script and it should work.
 
You can try this workaround:
Code:
mkdir /etc/domainkeys/example.com 
cd /root 
openssl genrsa -out private.key 1024 
mv private.key /etc/domainkeys/example.com/default 
chmod 440 /etc/domainkeys/example.com/default 
chown root:pouser /etc/domainkeys/example.com/default 
cd /etc/domainkeys/example.com/ 
openssl rsa -in default -pubout -out public.key 
openssl rsa -in /etc/domainkeys/example.com/default -pubout
 
As addition to my and peters answer, find the following simple bash script. it generates as output the dkim record for the dns.

Bash:
#!/bin/bash

if [ "$#" -ne 1 ]; then
  echo "Usage: $0 <Domain>"
  exit 1
fi

domain="$1"
key_dir="/etc/domainkeys/$domain"
private_key="$key_dir/default"

# Create the directory for the domain if it doesn't exist
mkdir -p "$key_dir"

# Generate the private key in the domain directory
openssl genrsa -out "$private_key" 1024

# Set permissions for the private key
chmod 440 "$private_key"
chown root:popuser "$private_key"

# Generate the DKIM DNS record
public_key="$(openssl rsa -in "$private_key" -pubout -outform der 2>/dev/null | openssl base64 -A)"
dkim_dns_record="v=DKIM1; p=$public_key"

# Display the generated DKIM DNS record
echo "DKIM DNS Record: default._domainkey.$domain -> $dkim_dns_record;"
 
As long as the error is not fixed, I need to do the following for newly created domains:
/opt/psa/bin/domain_pref --update example.com -sign_outgoing_mail true
 
Back
Top