Question Outgoing DKIM signing when mail is turned off

[pleskpanel]

Server operating system version

CentOS 7.9, Almalinux 8/9

Plesk version and microupdate number

Plesk Obsidian 18.0.58

In this scenario, the Plesk mail server isn't used (mailboxes are external) so it's turned off via the Plesk GUI and DNS is external with no connection to Plesk. The servers provide shared hosting with hundreds of domains on each.

We'd like messages that are sent from server scripts and postfix to sign with DKIM for all domains on the Plesk server.

Using this article, https://support.plesk.com/hc/en-us/...M-signing-for-all-domains-on-Plesk-for-Linux-, we can turn on outgoing mail signing on a server level.

Two questions are:

1. Can DKIM DNS record values be viewed even if we're not using the mail function (i.e. no mailboxes are run on the server) or is the only way to see those, enabling the mail management functionality?
2. Is there a better way to do this to generate a single, server-wide DKIM record for all of the domains on the server that can then be added to each domain's external DNS zone or is the only possibility to generate a record for each individual domain?

Comments and thoughts are much appreciated!

 

[Peter Debik]

1) On the operating system shell run as root

openssl rsa -in /etc/domainkeys/<your domain>/<your selector> -pubout
for example
openssl rsa -in /etc/domainkeys/mydomain.tld/default -pubout

It will yield a result like

writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAG8AMIIBCgKCAQEA1o9OR4Qm8Dq0PP3oAWWO
arZcfOM5a8hBnZjQKIhstohgdlk7QlFkomz+AMWDl4cfL0EdrYnUAdXVm8y6tOy5
s11rSc/lvxm7ombZyI6qNNQHX6fx/zWubgwzNsP2ymCONN8ahfSnUHUuahApBPy+
A9JZBqJxbptl3AY1hXhM8e8nKxFdlN1zSMK85424Gh76lwP4Vr6BblvQZ+/5sft8
WamIkbXh4/s4jrvS/xdV35MIIjyW7lPc8CG3qIddrAe0yjCTKu0h+uahe9LxrhSc
dmt56DuquV4+iGsYNPnpb3ZOltir82TbCCnCA6/ALAPvUzQ1V3SSOebx+bhMVb4q
QwIDAQAB
-----END PUBLIC KEY-----

Take the cryptic looking content string and put it into the typical DKIM string in your DNS, e.g.

default._domainkey.example.com IN TXT "v=DKIM1;k=rsa; p="MIIBIjANBgkqhkiG9w0BAQEFAAOCAG8AMIIBCgKCAQEA1o9OR4Qm8Dq0PP3oAWWOarZcfOM5a8hBnZjQKIhstohgdlk7QlFkomz+AMWDl4cfL0EdrYnUAdXVm8y6tOy5s11rSc/lvxm7ombZyI6qNNQHX6fx/zWubgwzNsP2ymCONN8ahfSnUHUuahApBPy+A9JZBqJxbptl3AY1hXhM8e8nKxFdlN1zSMK85424Gh76lwP4Vr6BblvQZ+/5sft8WamIkbXh4/s4jrvS/xdV35MIIjyW7lPc8CG3qIddrAe0yjCTKu0h+uahe9LxrhScdmt56DuquV4+iGsYNPnpb3ZOltir82TbCCnCA6/ALAPvUzQ1V3SSOebx+bhMVb4qQwIDAQAB;"

2) I've never thought about a single DKIM key for various domains. I am not sure whether the domain name is part of the key, but do not think so. It might be possible by just copying /etc/domainkeys/<your domain>/<your selector> to /etc/domainkeys/<your other domain>/<your selector> etc. You can try it, let us know if it worked.

 

[pleskpanel]

The article here https://support.plesk.com/hc/en-us/...M-signing-for-all-domains-on-Plesk-for-Linux- seems to suggest that with those two commands, keys would be generated for all domains on the server. Does this apply to mail sent via Postfix and PHP scripts that use localhost?

I think the documentation doesn't cover use cases where email accounts are external to Plesk but email is generated via server scripts.

 

[Peter Debik]

Are you asking whether mails generated by PHP scripts will be signed? Yes they will.

Emails sent by external services and not by the Plesk server will not be signed by the DKIM key that was issued by the Plesk server.

 

[pleskpanel]

To follow-up on this, running the two commands here https://support.plesk.com/hc/en-us/...M-signing-for-all-domains-on-Plesk-for-Linux- seem to successfully enable DKIM signing for all domains however if "Enable mail management functions in Plesk" is turned off via the GUI, is there a way to pull that external DNS record via the GUI?

 

[Peter Debik]

No, a record that is defined elsewhere cannot be imported automatically.