Question
How to get the DKIM public key from Plesk if an external DNS is used and local DNS is not installed?
Answer
Starting from Plesk Obsidian 18.0.35 DKIM public key is shown in the pop-up window on the Mail Settings page of the particular domain.
-
Go to Domains > example.com > Mail Settings > How to configure external DNS:
- For Plesk Version lower than 18.0.35 it's possible to use a manual approach:
-
Connect to the server via SSH
-
Private keys are located in the corresponding domain directory in
/etc/domainkeys/, for example,/etc/domainkeys/**example.com**/default(for selector "default") -
To extract a public key from a private, run the following:
# openssl rsa -in /etc/domainkeys/example.com/default -pubout
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHV
I8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviB
Hg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+
dvFIVlu0MULsWDDJfwIDAQAB
-----END PUBLIC KEY-----Merge the result of the command above into one string, and add it as a TXT record for the domain on external DNS server:
default._domainkey.example.com IN TXT "v=DKIM1;k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB;"
-
Connect to the server via RDP
-
In case of MailEnable mail server is used find it's configuration directory:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable" | findstr "CONFIG"
Configuration Directory REG_SZ C:\Program Files (x86)\Mail Enable\CONFIGand execute below command, do not forget to replace -in path with found one plus add
\DKIM\default-example.com.key:"%plesk_bin%\openssl" rsa -in "C:\Program Files (x86)\Mail Enable\Config\DKIM\default-example.com.key" -pubout > C:\public.key
The file
C:\public.keywill look like:-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj/lKsikGILTobyJySVXLe4vK2
Yvt82Gqk0og/p5XOXhDxxpjUgKig437UucQHwwVrmwFZ0bavMlg3QLQvRb0S94fE
5jRmikQ9I37v7BZtnxVXXbnrz/GDNLfWlHSugWcf0xY0xV5oi4mhhApwZOYq0SEM
zLt5kgMkCY50hNPuNQIDAQAB
-----END PUBLIC KEY-----Merge the result into one string and copy the data of the public key file into TXT record for the domain to add it on external DNS server.
default._domainkey.example.com. TXT v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj/lKsikGILTobyJySVXLe4vK2Yvt82Gqk0og/p5XOXhDxxpjUgKig437UucQHwwVrm
Comments
43 comments
Is it possible to show the public key in the control panel under "Mail Settings" please. We're not all admins ;)
Your example is not complete and should be:
default._domainkey.example.com IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB
@Pascal Saul
Thank you for the feedback.
The feature suggestion about showing public key in Plesk UI may be created at Plesk User Voice.
Error, no such file or directory. :(
@Prodesignerch, please, could you give more details about the issue?
When do you have this error shown? During which step of resolution?
Also, let us know what OS and Plesk versions do you use?
Hi, on my test system seems that script not recognize ${NEW_DOMAIN_NAME} parameter.
I can only see this in /tmp/dkim_keys, a file called
"dkim_key_.txt"
And inside this file only
"default._domainkey. IN TXT "v=DKIM1;k=rsa; p="
Thanks a lot.
I kept getting errors when verifying DKIM. "OpenSSL wrong tag"
After some searching I found the reason.
The script in zip-file seems to use the private key in the output for the record when it is actually the public key that needs to be included.
## recreate key:
openssl rsa -in /etc/domainkeys/$new_domain_name/default -pubout -out public.key --> Here we create a public key
## crop first and last line of keyfile
sed '1d;$d' /etc/domainkeys/$new_domain_name/default > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe --> here we trim the private key
Everything worked as expected after I changed the last line to:
sed '1d;$d' public.key > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe
Hello Harm Jakob Tolsma
Thank you for bringing this to our attention.
I have updated the script so that it is working correctly now.
Also, automatic script should be executed only via Tools & Settings > Event Manager, manual execution of the script via the command line will not work.
I rewrote the script a little bit so that the keys can now be saved directly in the customer's document root.
In addition, the script is no longer executed when creating subdomains.
I've added a little description and installation guide in the readme.
https://github.com/rabe0577/plesk-dkim-recreate
I hope I can help you with that.
@Janik R.
Thank you so much for sharing this! I am sure other Pleskians will find it helpful.
@Bato Tsydenov I have executed your script but I obtain this error :
"Can't open /etc/domainkeys/example.com/default for reading, Permission denied
139775231444224:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:74:fopen('/etc/domainkeys/example.com/default','r')
139775231444224:error:2006D002:BIO routines:BIO_new_file:system lib:../crypto/bio/bss_file.c:83:
unable to load Private Key"
Detailed info for default file are :
"-r--r----- 1 root popuser 891 Oct 24 18:06 default"
How can I correct this error and get my DKIM public key ?
Hi @lydie_t.
Please let me know your OS version.
Also, clarify under what user you are executing the command, and whether or not it is working in case you are running it under root user via SSH, not via scheduled task.
Hi @Alexandr Redikultsev,
Connecting under root, I am now able to access "default" file (which is the private key), then execute the command indicated by @Bato Tsydenov. This creates the public key.
Thank you. This helped.
Error No such file or directory
# openssl rsa -in /etc/domainkeys/example.com/default -pubout -out public.key
Error opening Private Key /etc/domainkeys/example.com/default
139977471330208:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/domainkeys/example.com/default','r')
139977471330208:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
Hi @IDC,
Make sure that corresponding file /etc/domainkeys/example.com/default exists indeed. Do not forget to replace example.com with the actual domain's name.
Hi @Alexandr Redikultsev,
Thank you for your response.
Now,I am created file /etc/domainkeys/example.com/default and re-place exam.com to my domain's name.
This error tell me "unable to load Private Key"
# openssl rsa -in /etc/domainkeys/mydomain.com/default -pubout -out public.key
unable to load Private Key
140544879454112:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
Hi @IDC,
This file should not be created manually, it should be created automatically by Plesk when you enable DKIM. Please remove that file and then make sure DKIM is enabled on your server:
Hi,
Is it possible to change the "default" selector to something else ? ("plesk" for example ;))
Thx
Hello @Florent,
Could you, please, give more details about the question?
This will help to give a more precise answer.
Hi @Ivan,
"Private keys are located in the corresponding domain directory in
/etc/domainkeys/, for example,/etc/domainkeys/example.com/default(for selector "default")."I would like to use another selector, not "default", is it possible ? :)
Thx
Hello @Florent,
It is possible.
You may use selector with another name, for example:
/etc/domainkeys/test.ts/plesk
You can create public key using the following command:
openssl rsa -in /etc/domainkeys/test.ts/plesk -pubout -out public.key
However, such solution was not tested.
The ability to change "default" selector automatically is yet to be implemented in Plesk.
I would suggest you to take part in our product improvement by referring to the following link:
https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/20246935-more-control-of-dkim
The top-ranked suggestions are likely to be included in the next versions of Plesk.
Hi All.
need your help please.
I got this error "Error, no such file or directory"
In fact the directory /etc/domainkeys/ do not exit on my dedicated server. however, i have checked on mail setting DMARC, DKIM an SPF on my Plesk 17.8.11. but directories still unavailable.
Need your help
Hi @M.Ouattara!
The "/etc/domainkeys/" folder is missing because you have not marked the "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" checkbox for any domain yet
Once you mark it for any domain, the "/etc/domainkeys/" folder will be created automatically together with the domain's related folder "/etc/domainkeys/example.com"
Thank you Nikita for your usefull help. Everything is now ok. thank you
The Script works for us after some changes that are based on how we handle the installation of domains/subscription in our company.
Is there any possibility to generate and get the public key with the API or REST API?
Hello @Cfaessler !
To do that, it should be possible to call system utilities (like openssl) via API. Unfortunately, it is not possible to do that either with our XML API or REST API.
to see if I understand, when I mark the option "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" indicates that records are generated in the DNS zone of plesk, right? If the answer is yes, it means that if you use this panel DKIM will work well.
Now, if I use external DNS I could refer to the DNS zone where the records are using a CNAME record ?
Hello @Carlos Ivan Castillo Moya,
You are right, when option "Use DKIM spam protection system to sign outgoing email messages" is enabled, the corresponding DKIM record is generated for the domain DNS zone in Plesk.
Since an external DNS server is used for a domain, the TXT record related to DKIM should be transferred to the external DNS as it is.
You can find the additional information about DKIM protection here:
https://support.plesk.com/hc/en-us/articles/115003843813
Hi.
I have following issue:
I use external DNS service, and I setup DKIM private key as described in a manual on this page. It was working fine with Onyx, but after updating to Obsidian, I now get an error from the backup manager - WARNING: (Mail object 'domain.com') Unable to back up domain keys. Error: Call to a member function getRecordsMatched() on null.
I have re-issued default key, generated a new pub-key, but still getting the error.
Any ideas how to fix this issue?
Thanks
Hello @Alex!
This message is just a warning, it shouldn't affect the integrity of the backup.
I recommend you check the permissions and ownership on the key files so they look like in the example below:
# namei -om /etc/domainkeys/example.com/default
f: /etc/domainkeys/example.com/default
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root domainkeys
drwxr-xr-x root root example.com
-r--r----- root popuser default
If the warning is still shown after setting the correct permissions and ownership, please submit a technical support request for further investigation.
Please sign in to leave a comment.