Applicable to:
- Plesk
Question
- The option Allow signing outgoing mail is enabled in Tools & Settings > Mail Server Settings
- The option Use DKIM spam protection system to sign outgoing email messages is enabled in Domain > example.com > Mail Settings
How to get the DKIM public key from Plesk if an external DNS is used and local DNS is not installed?
Answer
Note: This article may require additional administrative knowledge to apply. If any help required, contact the server’s administrator or hosting support.
The only way to get the public key is to extract it manually with openssl from a private key.
-
Login to the server via SSH
-
Private keys are located in the corresponding domain directory in
/etc/domainkeys/, for example,/etc/domainkeys/**example.com**/default(for selector "default")To extract a public key from a private, run the following:
# openssl rsa -in /etc/domainkeys/example.com/default -pubout
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHV
I8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviB
Hg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+
dvFIVlu0MULsWDDJfwIDAQAB
-----END PUBLIC KEY----- -
Merge the result of the command above into one string, and add it as a TXT record for the domain on external DNS server:
CONFIG_TEXT: default._domainkey.example.com IN TXT "v=DKIM1;k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB;"
-
Connect to the server via RDP
-
Run the following command in PowerShell to extract the public key from the private (e.g. for the example.com domain):
PS echo example.com | % { &"$env:plesk_bin\openssl.exe" rsa -in "$env:mailenable_path\Config\DKIM\default-$_.key" -pubout 2>$null }
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDljL7QGIqu0tn4vnaL0EOLiKxd
jqkjMsU/Fb1qkBE45j8A/oIktxed4AfmguCr1r/tepP+j6bs43x91gH9I3VCcwQa
kaYB8JU/T3rNdu5tvlir8YY6bkiYIbh8ORuGPoFZ+mFJXq/GqJLr/b0kGlOyjhrz
PKrd2l6NStgXZXeUxQIDAQAB
-----END PUBLIC KEY----- -
Merge the result of the command above into one string, and add it as a TXT record for the domain on external DNS server:
CONFIG_TEXT: default._domainkey.example.com. TXT v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj/lKsikGILTobyJySVXLe4vK2Yvt82Gqk0og/p5XOXhDxxpjUgKig437UucQHwwVrmwFZ0bavMlg3QLQvRb0S94fE5jRmikQ9I37v7BZtnxVXXbnrz/GDNLfWlHSugWcf0xY0xV5oi4mhhApwZOYq0SEMzLt5kgMkCY50hNPuNQIDAQAB
Note: the automatic script should be executed only via Tools & Settings > Event Manager, manual execution of the script via the command line will not work.
-
Download the shell script, extract the archive and add executable permissions:
# wget https://support.plesk.com/hc/en-us/article_attachments/360009098393/dkim_script.zip -O /root/dkim_script.zip
# unzip /root/dkim_script.zip
# chmod +x /root/dkim_script.sh
-
Set up an event Physical hosting created in Tools & Settings > Event Manager and specify the full path to the script dkim_script.sh in Command field.
When the script is executed the DKIM public key can be found at /tmp/dkim_keys/dkim_key_example.com.txt.
Note: if the file
/usr/local/psa/var/root.event_handler.lockexists the user root will not be displayed in the User drop-down menu.
Comments
37 comments
Is it possible to show the public key in the control panel under "Mail Settings" please. We're not all admins ;)
Your example is not complete and should be:
default._domainkey.example.com IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB
@Pascal Saul
Thank you for the feedback.
The feature suggestion about showing public key in Plesk UI may be created at Plesk User Voice.
Error, no such file or directory. :(
@Prodesignerch, please, could you give more details about the issue?
When do you have this error shown? During which step of resolution?
Also, let us know what OS and Plesk versions do you use?
Hi, on my test system seems that script not recognize ${NEW_DOMAIN_NAME} parameter.
I can only see this in /tmp/dkim_keys, a file called
"dkim_key_.txt"
And inside this file only
"default._domainkey. IN TXT "v=DKIM1;k=rsa; p="
Thanks a lot.
I kept getting errors when verifying DKIM. "OpenSSL wrong tag"
After some searching I found the reason.
The script in zip-file seems to use the private key in the output for the record when it is actually the public key that needs to be included.
## recreate key:
openssl rsa -in /etc/domainkeys/$new_domain_name/default -pubout -out public.key --> Here we create a public key
## crop first and last line of keyfile
sed '1d;$d' /etc/domainkeys/$new_domain_name/default > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe --> here we trim the private key
Everything worked as expected after I changed the last line to:
sed '1d;$d' public.key > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe
Hello Harm Jakob Tolsma
Thank you for bringing this to our attention.
I have updated the script so that it is working correctly now.
Also, automatic script should be executed only via Tools & Settings > Event Manager, manual execution of the script via the command line will not work.
I rewrote the script a little bit so that the keys can now be saved directly in the customer's document root.
In addition, the script is no longer executed when creating subdomains.
I've added a little description and installation guide in the readme.
https://github.com/rabe0577/plesk-dkim-recreate
I hope I can help you with that.
@Janik R.
Thank you so much for sharing this! I am sure other Pleskians will find it helpful.
@Bato Tsydenov I have executed your script but I obtain this error :
"Can't open /etc/domainkeys/example.com/default for reading, Permission denied
139775231444224:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:74:fopen('/etc/domainkeys/example.com/default','r')
139775231444224:error:2006D002:BIO routines:BIO_new_file:system lib:../crypto/bio/bss_file.c:83:
unable to load Private Key"
Detailed info for default file are :
"-r--r----- 1 root popuser 891 Oct 24 18:06 default"
How can I correct this error and get my DKIM public key ?
Hi @lydie_t.
Please let me know your OS version.
Also, clarify under what user you are executing the command, and whether or not it is working in case you are running it under root user via SSH, not via scheduled task.
Hi @Alexandr Redikultsev,
Connecting under root, I am now able to access "default" file (which is the private key), then execute the command indicated by @Bato Tsydenov. This creates the public key.
Thank you. This helped.
Error No such file or directory
# openssl rsa -in /etc/domainkeys/example.com/default -pubout -out public.key
Error opening Private Key /etc/domainkeys/example.com/default
139977471330208:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/domainkeys/example.com/default','r')
139977471330208:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
Hi @IDC,
Make sure that corresponding file /etc/domainkeys/example.com/default exists indeed. Do not forget to replace example.com with the actual domain's name.
Hi @Alexandr Redikultsev,
Thank you for your response.
Now,I am created file /etc/domainkeys/example.com/default and re-place exam.com to my domain's name.
This error tell me "unable to load Private Key"
# openssl rsa -in /etc/domainkeys/mydomain.com/default -pubout -out public.key
unable to load Private Key
140544879454112:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
Hi @IDC,
This file should not be created manually, it should be created automatically by Plesk when you enable DKIM. Please remove that file and then make sure DKIM is enabled on your server:
Hi,
Is it possible to change the "default" selector to something else ? ("plesk" for example ;))
Thx
Hello @Florent,
Could you, please, give more details about the question?
This will help to give a more precise answer.
Hi @Ivan,
"Private keys are located in the corresponding domain directory in
/etc/domainkeys/, for example,/etc/domainkeys/example.com/default(for selector "default")."I would like to use another selector, not "default", is it possible ? :)
Thx
Hello @Florent,
It is possible.
You may use selector with another name, for example:
/etc/domainkeys/test.ts/plesk
You can create public key using the following command:
openssl rsa -in /etc/domainkeys/test.ts/plesk -pubout -out public.key
However, such solution was not tested.
The ability to change "default" selector automatically is yet to be implemented in Plesk.
I would suggest you to take part in our product improvement by referring to the following link:
https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/20246935-more-control-of-dkim
The top-ranked suggestions are likely to be included in the next versions of Plesk.
Hi All.
need your help please.
I got this error "Error, no such file or directory"
In fact the directory /etc/domainkeys/ do not exit on my dedicated server. however, i have checked on mail setting DMARC, DKIM an SPF on my Plesk 17.8.11. but directories still unavailable.
Need your help
Hi @M.Ouattara!
The "/etc/domainkeys/" folder is missing because you have not marked the "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" checkbox for any domain yet
Once you mark it for any domain, the "/etc/domainkeys/" folder will be created automatically together with the domain's related folder "/etc/domainkeys/example.com"
Thank you Nikita for your usefull help. Everything is now ok. thank you
The Script works for us after some changes that are based on how we handle the installation of domains/subscription in our company.
Is there any possibility to generate and get the public key with the API or REST API?
Hello @Cfaessler !
To do that, it should be possible to call system utilities (like openssl) via API. Unfortunately, it is not possible to do that either with our XML API or REST API.
to see if I understand, when I mark the option "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" indicates that records are generated in the DNS zone of plesk, right? If the answer is yes, it means that if you use this panel DKIM will work well.
Now, if I use external DNS I could refer to the DNS zone where the records are using a CNAME record ?
Hello @Carlos Ivan Castillo Moya,
You are right, when option "Use DKIM spam protection system to sign outgoing email messages" is enabled, the corresponding DKIM record is generated for the domain DNS zone in Plesk.
Since an external DNS server is used for a domain, the TXT record related to DKIM should be transferred to the external DNS as it is.
You can find the additional information about DKIM protection here:
https://support.plesk.com/hc/en-us/articles/115003843813
Hi.
I have following issue:
I use external DNS service, and I setup DKIM private key as described in a manual on this page. It was working fine with Onyx, but after updating to Obsidian, I now get an error from the backup manager - WARNING: (Mail object 'domain.com') Unable to back up domain keys. Error: Call to a member function getRecordsMatched() on null.
I have re-issued default key, generated a new pub-key, but still getting the error.
Any ideas how to fix this issue?
Thanks
Hello @Alex!
This message is just a warning, it shouldn't affect the integrity of the backup.
I recommend you check the permissions and ownership on the key files so they look like in the example below:
# namei -om /etc/domainkeys/example.com/default
f: /etc/domainkeys/example.com/default
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root domainkeys
drwxr-xr-x root root example.com
-r--r----- root popuser default
If the warning is still shown after setting the correct permissions and ownership, please submit a technical support request for further investigation.
Please sign in to leave a comment.