Resolved Plesk change DKIM signature when reload or saving the "Mail Settings for domain.tld" page

[httPete]

Username:

TITLE

Plesk change DKIM signature when reload or saving the "Mail Settings for domain.tld" page

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian Web Admin Edition Version 18.0.53 Update Nr. 2; Ubuntu Ubuntu 22.04.2 LTS; postfix 3.6.4-1ubuntu1.1 (Ubuntu for jammy-updates by Ubuntu)

PROBLEM DESCRIPTION

I think I have a problem with my Plesk server. Whenever I go to the email settings for a domain, Plesk automatically changes the DKIM signature. Then when I re-enter the DKIM signature into my external DNS server in the domain zone, save the email settings on the Plesk server, and go to the email settings page on the Plesk server again, it is a different DKIM signature when I click on "How to configure external DNS".

Something definitely seems to be wrong here!!!

On my second Plesk server I do not have this problem. Here the DKIM signature always remains the same. No matter how many times I go to the email settings page for a domain and click on "How to configure external DNS".

One difference on both servers is that the server that always changes the DKIM signature does not have a BIND DNS server installed. The domains have been migrated from the old server to the new server. I want to run the DNS services externally and leave BIND disabled.

Unfortunately I don't have very deep knowledge in the subject, but according to my knowledge the DKIM signature should stay the same.

All my DKIM checks on various SPAM tests fail.

STEPS TO REPRODUCE

1. Go to to the Mail Settings of a Domain
2. click on How to configure external DNS
3. copy the DKIM Signiture
4. click ok or apply
5. click on How to configure external DNS again
6. compare the DKIM signatures

ACTUAL RESULT

When reloading the Mail Settings for domain.tld page, a new DKIM signature is always generated.

EXPECTED RESULT

The DKIM signature should remain the same when saving or reloading the page.

ANY ADDITIONAL INFORMATION

Server new with problem:
Plesk Obsidian Web Admin Edition
Version 18.0.53 Update No. 2 | Ubuntu Ubuntu 22.04.2 LTS

Server old without problem.
Plesk Obsidian Web Pro
Version 18.0.52 Update No. 3 | Ubuntu 18.04.6 LTS (Bionic Beaver)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

I tried it on an Ubuntu 22: Removed Bind, then tested with page reloads etc. on the mail settings page. I was not able to reproduce the issue as described in the post. Only when I click "Apply" or "OK" on the page that contains the DKIM checkbox, a new DKIM key is stored. But that would be an expected behavior. Else, e.g. when clicking "Cancel" or reloading the page, no new DKIM key is stored. Also when revisiting the page after logging out, logging in, the DKIM key is unchanged. It only changes here when clicking "Apply" or "OK".

If you are seeing a different behavior, please contact support so that an engineer can check it on your server, because then it only affects that one server.

To sign-in to support please go to https://support.plesk.com

If you experience login issues, please see this KB article:
https://support.plesk.com/hc/en-us/...rt-plesk-com-and-password-reset-does-not-work

If you bought your license from a reseller, your reseller should provide support for you. If the reseller does not provide support, here is an alternative:
https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk-

 

[httPete]

Hello Peter, thank you for your quick feedback and your efforts! I have now tested the whole thing without clicking Apply or OK and for me it also worked as you described. Apparently it was possibly due to my browser that i was shown a different DKIM Key even when I reloaded the page. If I click on Cancel, log out and log in again, the DKIM key also remains. If I click Apply or OK as you described, it is changed or regenerated.

You write it would be an expected behavior?! Is this a change in the new version of Plesk or Ubuntu 22?

As I wrote before, on my old server (Plesk version 18.0.52 Update No. 3 | Ubuntu 18.04.6 LTS (Bionic Beaver)) the DKIM key also remains the same when I click Apply or OK. This confused me a lot with my new server, as I am used to this behavior from my old server.

Translated with DeepL

 

[flipzoom]

@Peter Debik,

I also have to intervene here once again, because there seems to be a misunderstanding here. There is definitely a bug here, because these problems are also appearing en masse on my server.

Plesk Version 18.0.54 Update #4
CentOS Linux 7.9.2009 (Core)

The problem is exactly that when you click on "OK" or "Apply" a new key is generated.

1. this is not an expectation of the user. Example: I only want to change the webmailer or the certificate, both can be set on the same configuration page. I click "OK" or "Apply" and at that moment a new DKIM signature is created (even without info or notification about it). As a result, I now have to update my external DNS manually. Just because I changed the webmailer.

2. even if my customer only looks at this page and simply clicks "Ok" because he wants to leave the page, a new DKIM signature is created at this moment and I have to change the external DNS again. Another problem here: as an admin, I don't even notice when my customer changes something here or just presses "OK".

3. the DKMI signature displayed does not correspond to the one after I clicked "OK".
Example of how to proceed:

A. Go to the configuration page to enable DKIM.​

B. Check the box to enable it.​

C. Click "Apply" to display the entries in the pop-up for external DNS.​

D. Now copy and paste the DNS record and signature into the external DNS.​

E. Now click on "Ok" in Plesk, because I am done and have set everything up.​

F. But now a new signature is generated that no longer matches the one I just created.​

G. Now go back to the settings and look at the signature in the pop-up; it is no longer the one you just created and already stored in the external DNS.​

Nobody expects this behaviour and it is not understandable. Moreover, this has not been the case so far. Just because I press an "OK" button, I should not be forced to update an external DNS every time. With hundreds of domains, this is not even possible to monitor.

I see three solutions here:

1. the previous behaviour is restored, the signature is generated once when the DKIM option is activated and no longer changes when clicking on "Ok" or "Apply".

2. it must be checked whether Plesk's own DNS is used. I have installed Bind but deactivated it. I have only stored my external name servers in Plesk, but do not use anything else from the Pleks DNS. So: if external DNS are used, the signature can't just change when clicking on "Ok" or "Apply".

3. an explicit optin checkbox or button is placed as a function with "Regenrate DKIM signature".

Whatever the solution, the automatic regeneration, without info, without the possibility to deactivate it, is a bug and a wrong usability behaviour. I hope it is now a little clearer what the problem is. The title is worded somewhat unfortunate with "Reload". I also see this bug as very critical. Today alone, I had to update dozens of domains by hand.

 

[Kaspar]

I am able to replicate this issue and agree this should be treated as a bug. There is no need for the DKIM key to be changed every time the "Apply" or "Ok" button is clicked on the domain's mail settings.

 

[Peter Debik]

I hesitate filing this as a bug, because it does what it shall do. It may just not be as comfortable as expected. I see your point though, but solving this requires a new feature, like "Add a button by which a new DKIM key can be generated. Unless that button is clicked, keep the existing DKIM key.", because there must be a way to generate a new key. Would you care to submit this or a similar request to Feature Suggestions: Top (1873 ideas) – Your Ideas for Plesk

 

[Kaspar]

I hesitate filing this as a bug, because it does what it shall do. It may just not be as comfortable as expected. I see your point though, but solving this requires a new feature, like "Add a button by which a new DKIM key can be generated. Unless that button is clicked, keep the existing DKIM key.", because there must be a way to generate a new key. Would you care to submit this or a similar request to Feature Suggestions: Top (1873 ideas) – Your Ideas for Plesk

I get that, but at the same time this should not be a very resource intensive issue to solve. More importantly the current methode has serious ramifications for users who rely on external DNS, as there is no indication/information to the user what so ever that the DKIM key changes. Meaning that users who manage their DNS externally could easily and unintendedly end up with email delivery issues as the DKIM check fails for their domain. Which is why, imho, this should be treated a bug.

 

[flipzoom]

I don't see this as a feature request either. The behaviour has not been like this so far. It seems that only a check has disappeared somewhere to see whether a key already exists. I'm also not entirely sure whether the scope of this problem is actually grasped.

Even using the Plesk DNS, there would be a problem with the TTL here. Every time "Ok" or "Apply" is clicked, a new key is generated and the default._domainkey TXT record in the DNS is changed. During the time of the TTL, however, the wrong signature is now also here. And this happens every time. The catastrophe with external DNS aside.

I see absolutely no reason why a new key should be generated each time. After deactivation or activation: yes, of course. Here I make a choice for the configuration. But not if I simply click "Ok" at will. No one expects a new key to be generated and doesn't realise it.

 

[Peter Debik]

It's been forwarded as ID PPS-14894, but as it does include the requirement for a new feature (the "Generate new DKIM key" button), it needs to be discussed internally first, so it might take a while to fix.

 

[Peter Debik]

I don't see this as a feature request either. The behaviour has not been like this so far. It seems that only a check has disappeared somewhere to see whether a key already exists. I'm also not entirely sure whether the scope of this problem is actually grasped.

The scope is minimal, because the other functions on that page are rarely used once a subscription or domain was setup.

Even using the Plesk DNS, there would be a problem with the TTL here. Every time "Ok" or "Apply" is clicked, a new key is generated and the default._domainkey TXT record in the DNS is changed. During the time of the TTL, however, the wrong signature is now also here. And this happens every time. The catastrophe with external DNS aside.

That's the normal course of events with TTL. There is always a lag.

I see absolutely no reason why a new key should be generated each time. After deactivation or activation: yes, of course. Here I make a choice for the configuration. But not if I simply click "Ok" at will. No one expects a new key to be generated and doesn't realise it.

Users will need a new option to generate a DKIM key. At the moment, this is done "automatically", but with a change, they'll need an extra button, and that should probably be an asynchronously working button, because right after clicking it, the new DKIM content must be displayed so that users can copy it to their external DNS. Also a case switch is needed for whether a user is using internal or external DNS. It is not that simple as it sounds.

 

[Peter Debik]

The good news is that this was filed before (in July) and ought to be changed in Plesk 18.0.55. However, there seems to be no solution then for changing an existing DKIM key. I'll set this case to resolved anyway, because the initial question is solved.

 

[Kaspar]

@Peter Debik good to read this issue got fixed in the just released 18.0.55 version of Plesk.

As for changing an existing DKIM key, that would still be possible by disabling the "DKIM protection" option of the domain and re-enabling it again. That way a new DKIM key gets generated for the domain.

 

[AYamshanov]

Let me also post a link to the KB article on how to re-generate a DKIM key without causing mail delivery outages (if someone find this post using keywords about DKIM),

• How to change DKIM key value in Plesk without causing mail delivery outages