Question
How to get the DKIM public key from Plesk if an external DNS is used and local DNS is not installed?
Answer
Starting from Plesk Obsidian 18.0.35 DKIM public key is shown in the pop-up window on the Mail Settings page of the particular domain.
-
Go to Domains > example.com > Mail Settings > How to configure external DNS:
- For Plesk Version lower than 18.0.35 it's possible to use a manual approach:
-
Connect to the server via SSH
-
Private keys are located in the corresponding domain directory in
/etc/domainkeys/, for example,/etc/domainkeys/**example.com**/default(for selector "default") -
To extract a public key from a private, run the following:
# openssl rsa -in /etc/domainkeys/example.com/default -pubout
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHV
I8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviB
Hg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+
dvFIVlu0MULsWDDJfwIDAQAB
-----END PUBLIC KEY-----Merge the result of the command above into one string, and add it as a TXT record for the domain on external DNS server:
default._domainkey.example.com IN TXT "v=DKIM1;k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB;"
-
Connect to the server via RDP
-
In case of MailEnable mail server is used find it's configuration directory:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable" | findstr "CONFIG"
Configuration Directory REG_SZ C:\Program Files (x86)\Mail Enable\CONFIGand execute below command, do not forget to replace -in path with found one plus add
\DKIM\default-example.com.key:"%plesk_bin%\openssl" rsa -in "C:\Program Files (x86)\Mail Enable\Config\DKIM\default-example.com.key" -pubout > C:\public.key
The file
C:\public.keywill look like:-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj/lKsikGILTobyJySVXLe4vK2
Yvt82Gqk0og/p5XOXhDxxpjUgKig437UucQHwwVrmwFZ0bavMlg3QLQvRb0S94fE
5jRmikQ9I37v7BZtnxVXXbnrz/GDNLfWlHSugWcf0xY0xV5oi4mhhApwZOYq0SEM
zLt5kgMkCY50hNPuNQIDAQAB
-----END PUBLIC KEY-----Merge the result into one string and copy the data of the public key file into TXT record for the domain to add it on external DNS server.
default._domainkey.example.com. TXT v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj/lKsikGILTobyJySVXLe4vK2Yvt82Gqk0og/p5XOXhDxxpjUgKig437UucQHwwVrm
Comments
44 comments
I rewrote the script a little bit so that the keys can now be saved directly in the customer's document root.
In addition, the script is no longer executed when creating subdomains.
I've added a little description and installation guide in the readme.
https://github.com/rabe0577/plesk-dkim-recreate
I hope I can help you with that.
Is it possible to show the public key in the control panel under "Mail Settings" please. We're not all admins ;)
Your example is not complete and should be:
default._domainkey.example.com IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB
Just wanted to let everyone know an easy workaround to finding DKIM public record if DNS is hosted somewhere else.
Just enable DNS for the domain for a few seconds so you can see the DKIM generated in the Plesk DNS management. Copy that to clipboard and disable DNS.
This DKIM record seemed to work perfectly for me when I copied it to my external DNS.
Hi @IDC,
This file should not be created manually, it should be created automatically by Plesk when you enable DKIM. Please remove that file and then make sure DKIM is enabled on your server:
The article mentions; "
/etc/domainkeys/**example.com**/default(for selector "default")"Does this mean it's possible to set a selector name other than 'default'? If so, how?
Jussi Vainionpää
You could also edit the script and have it send you the key.
##send the key by email
mail -s "DKIM record for ${NEW_DOMAIN_NAME}" youremail@domain.com < $dkim_rec_path/$dkim_rec_prefix${NEW_DOMAIN_NAME}$dkim_rec_fe
Hi Francisco Roman Garcia Rodriguez, previous did that. See custom dkim selector name :-)
Hi All.
need your help please.
I got this error "Error, no such file or directory"
In fact the directory /etc/domainkeys/ do not exit on my dedicated server. however, i have checked on mail setting DMARC, DKIM an SPF on my Plesk 17.8.11. but directories still unavailable.
Need your help
Hi @Alexandr Redikultsev,
Connecting under root, I am now able to access "default" file (which is the private key), then execute the command indicated by @Bato Tsydenov. This creates the public key.
Thank you. This helped.
I did the same process for all my domains on server. and some of them are working and other not ! with same configuration ! this is insane !
to see if I understand, when I mark the option "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" indicates that records are generated in the DNS zone of plesk, right? If the answer is yes, it means that if you use this panel DKIM will work well.
Now, if I use external DNS I could refer to the DNS zone where the records are using a CNAME record ?
Hello Harm Jakob Tolsma
Thank you for bringing this to our attention.
I have updated the script so that it is working correctly now.
Hello @Cfaessler !
To do that, it should be possible to call system utilities (like openssl) via API. Unfortunately, it is not possible to do that either with our XML API or REST API.
Hi, on my test system seems that script not recognize ${NEW_DOMAIN_NAME} parameter.
I can only see this in /tmp/dkim_keys, a file called
"dkim_key_.txt"
And inside this file only
"default._domainkey. IN TXT "v=DKIM1;k=rsa; p="
Thanks a lot.
Hi,
Is it possible to change the "default" selector to something else ? ("plesk" for example ;))
Thx
Hi @M.Ouattara!
The "/etc/domainkeys/" folder is missing because you have not marked the "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" checkbox for any domain yet
Once you mark it for any domain, the "/etc/domainkeys/" folder will be created automatically together with the domain's related folder "/etc/domainkeys/example.com"
Hi @IDC,
Make sure that corresponding file /etc/domainkeys/example.com/default exists indeed. Do not forget to replace example.com with the actual domain's name.
Error No such file or directory
# openssl rsa -in /etc/domainkeys/example.com/default -pubout -out public.key
Error opening Private Key /etc/domainkeys/example.com/default
139977471330208:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/domainkeys/example.com/default','r')
139977471330208:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
Hi.
I have following issue:
I use external DNS service, and I setup DKIM private key as described in a manual on this page. It was working fine with Onyx, but after updating to Obsidian, I now get an error from the backup manager - WARNING: (Mail object 'domain.com') Unable to back up domain keys. Error: Call to a member function getRecordsMatched() on null.
I have re-issued default key, generated a new pub-key, but still getting the error.
Any ideas how to fix this issue?
Thanks
Jussi Vainionpää I created an account on this forum, just to thank you!
I kept getting errors when verifying DKIM. "OpenSSL wrong tag"
After some searching I found the reason.
The script in zip-file seems to use the private key in the output for the record when it is actually the public key that needs to be included.
## recreate key:
openssl rsa -in /etc/domainkeys/$new_domain_name/default -pubout -out public.key --> Here we create a public key
## crop first and last line of keyfile
sed '1d;$d' /etc/domainkeys/$new_domain_name/default > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe --> here we trim the private key
Everything worked as expected after I changed the last line to:
sed '1d;$d' public.key > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe
@Prodesignerch, please, could you give more details about the issue?
When do you have this error shown? During which step of resolution?
Also, let us know what OS and Plesk versions do you use?
Currently, Plesk allows using only "default" name. There is a corresponding feature request which you may vote to get this implemented.
Clicking 'mydomain' >> Mail Settings >> Use DKIM spam protection system to sign outgoing email messages
Produces the following error. No domainkeys directory is created and the checkbox remains unticked
DNS is on external provider
Could I change string "default" at "default._domainkey.example.com"?
@Janik R.
Thank you so much for sharing this! I am sure other Pleskians will find it helpful.
Hi @Alexandr Redikultsev,
Thank you for your response.
Now,I am created file /etc/domainkeys/example.com/default and re-place exam.com to my domain's name.
This error tell me "unable to load Private Key"
# openssl rsa -in /etc/domainkeys/mydomain.com/default -pubout -out public.key
unable to load Private Key
140544879454112:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
Also, automatic script should be executed only via Tools & Settings > Event Manager, manual execution of the script via the command line will not work.
Hello @Carlos Ivan Castillo Moya,
You are right, when option "Use DKIM spam protection system to sign outgoing email messages" is enabled, the corresponding DKIM record is generated for the domain DNS zone in Plesk.
Since an external DNS server is used for a domain, the TXT record related to DKIM should be transferred to the external DNS as it is.
You can find the additional information about DKIM protection here:
https://support.plesk.com/hc/en-us/articles/115003843813
I stand corrected. I just now see that this is actually from 18.035 and I have 34. My apologies.
Please sign in to leave a comment.