Issue Plesk does not retain DKIM keys during server migration

TorbHo

Regular Pleskian
Server operating system version
Ubuntu 24 LTS
Plesk version and microupdate number
Plesk Obsidian 18.0.70 Update 2
We recently migrated many domains from one Plesk server to another using the official Plesk Migrator. After the migration, we noticed that the existing DKIM keys were not transferred. Instead, Plesk automatically generates new DKIM private keys for each domain on the destination server.

This causes several issues:
  • DKIM verification fails for previously sent emails still in the mail queue, as their signatures no longer match.
  • New keys require updating the DNS default._domainkey TXT records for every domain.
  • This breaks DKIM validation until DNS records are manually updated.
In our setup, we use an external DNS provider, not the built-in DNS server in Plesk. We also manage hundreds of domains per server, so manually updating each domain’s DKIM TXT record is not a viable option.

I found this support article describing the problem, which appears to be over two years old:

https://support.plesk.com/hc/en-us/...tion-fails-dkim-fail-body-hash-did-not-verify

According to that article, Plesk still does not support DKIM key transfer during migration, nor does it offer a workaround to import existing keys manually.

Here are my questions:
  1. Why doesn’t Plesk preserve existing DKIM private keys during migration?
  2. Is there any supported way to export and re-import DKIM keys so the same DNS records can be used after migration?
  3. Is this issue still being worked on? If yes, when can we expect a proper fix?

This is becoming a serious problem for us in production environments when moving to a new server. Any insights or recommendations would be greatly appreciated.
 
I can confirm that this is still an active issue and would also like to have it fixed.
The number of support tickets Plesk receives on an issue can determine whether a fix is prioritized. So if you are able to file a support case for it, please do so.
 
Since yesterday, GMX and Web.de – two of the largest email providers in Germany – have started strictly enforcing DKIM verification for incoming mail. This has led to major delivery issues after the migration, as emails without valid DKIM signatures are now being rejected.

This raises the urgent question:
  • Is it possible to requeue or resend emails currently stuck in the mail queue so that they are signed again with the new valid DKIM key?
 
With Postfix and OpenDKIM, the DKIM signature is added at the moment the message is sent via the smtp transport, not when the message is queued. Postfix sends the message to OpenDKIM via milter during the "smtp" delivery phase. OpenDKIM signs the message and passes it back to Postfix. The signed message is then transmitted to the recipient's mail server.

So if a message is in the Postfix queue:
- It is not DKIM-signed yet.
- When it is finally sent (retried from the queue), the DKIM signature is added fresh at that time.

If you inspect the message in the mail queue (postqueue -p or postcat -vq <queue_id>), you will not see a DKIM-Signature header yet. Please verify my response by checking this on your server.
 
@Bitpalast Thank you.

I’ve checked this on my server using postcat -vq <queue_id> and can confirm that there is no DKIM-Signature header present in the queued messages. This confirms that Postfix indeed seems to sign the message at the time of actual SMTP delivery, not at the time of queuing.

However, despite that, the affected emails remain stuck in the mail queue and are not being retried successfully. They are repeatedly rejected by the recipient server (in this case, web.de).

The bounce message includes a reference to this page:


This page explains that messages without valid DKIM signatures are now being rejected, and recommends proper DKIM configuration.

Even though DKIM is now properly enabled on the new server, queued messages sent before DKIM was activated are not signed when retried – and are rejected due to missing or broken DKIM.

So far, Postfix does not seem to automatically reprocess or re-sign these messages upon retry.

Is there any reliable way to force Postfix to re-sign queued messages with DKIM, now that DKIM is active?

Any suggestions would be appreciated.
 
Back
Top