Question
How to get the DKIM public key from Plesk if an external DNS is used and local DNS is not installed?
Answer
Starting from Plesk Obsidian 18.0.35 DKIM public key is shown in the pop-up window on the Mail Settings page of the particular domain.
-
Go to Domains > example.com > Mail Settings > How to configure external DNS:
- For Plesk Version lower than 18.0.35 it's possible to use a manual approach:
-
Connect to the server via SSH
-
Private keys are located in the corresponding domain directory in
/etc/domainkeys/, for example,/etc/domainkeys/**example.com**/default(for selector "default") -
To extract a public key from a private, run the following:
# openssl rsa -in /etc/domainkeys/example.com/default -pubout
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHV
I8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviB
Hg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+
dvFIVlu0MULsWDDJfwIDAQAB
-----END PUBLIC KEY-----Merge the result of the command above into one string, and add it as a TXT record for the domain on external DNS server:
default._domainkey.example.com IN TXT "v=DKIM1;k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB;"
-
Connect to the server via RDP
-
In case of MailEnable mail server is used find it's configuration directory:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable" | findstr "CONFIG"
Configuration Directory REG_SZ C:\Program Files (x86)\Mail Enable\CONFIGand execute below command, do not forget to replace -in path with found one plus add
\DKIM\default-example.com.key:"%plesk_bin%\openssl" rsa -in "C:\Program Files (x86)\Mail Enable\Config\DKIM\default-example.com.key" -pubout > C:\public.key
The file
C:\public.keywill look like:-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj/lKsikGILTobyJySVXLe4vK2
Yvt82Gqk0og/p5XOXhDxxpjUgKig437UucQHwwVrmwFZ0bavMlg3QLQvRb0S94fE
5jRmikQ9I37v7BZtnxVXXbnrz/GDNLfWlHSugWcf0xY0xV5oi4mhhApwZOYq0SEM
zLt5kgMkCY50hNPuNQIDAQAB
-----END PUBLIC KEY-----Merge the result into one string and copy the data of the public key file into TXT record for the domain to add it on external DNS server.
default._domainkey.example.com. TXT v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj/lKsikGILTobyJySVXLe4vK2Yvt82Gqk0og/p5XOXhDxxpjUgKig437UucQHwwVrm
Comments
45 comments
Hi Taras Ermoshin.
Thank you for your reply.
I checked the permissions as you suggested, and it all looks the same as in your example.
I understand that this is just a warning, but since I have backups running every day for multiple domains, these messages multiply with each failure and clutter the backup screen very much.
I will submit a request, but not sure how this can be solved, since it is tied up to the DNS functionality.
Thank you for your help.
The article mentions; "
/etc/domainkeys/**example.com**/default(for selector "default")"Does this mean it's possible to set a selector name other than 'default'? If so, how?
Hi Iain,
Within Plesk, there's only one DKIM selector by design.
If you see it necessary, I encourage you to create a new Uservoice request.
Hi Francisco Roman Garcia Rodriguez, previous did that. See custom dkim selector name :-)
Just wanted to let everyone know an easy workaround to finding DKIM public record if DNS is hosted somewhere else.
Just enable DNS for the domain for a few seconds so you can see the DKIM generated in the Plesk DNS management. Copy that to clipboard and disable DNS.
This DKIM record seemed to work perfectly for me when I copied it to my external DNS.
Jussi Vainionpää
You could also edit the script and have it send you the key.
##send the key by email
mail -s "DKIM record for ${NEW_DOMAIN_NAME}" youremail@domain.com < $dkim_rec_path/$dkim_rec_prefix${NEW_DOMAIN_NAME}$dkim_rec_fe
Jussi Vainionpää I created an account on this forum, just to thank you!
Could I change string "default" at "default._domainkey.example.com"?
Currently, Plesk allows using only "default" name. There is a corresponding feature request which you may vote to get this implemented.
I did the same process for all my domains on server. and some of them are working and other not ! with same configuration ! this is insane !
Clicking 'mydomain' >> Mail Settings >> Use DKIM spam protection system to sign outgoing email messages
Produces the following error. No domainkeys directory is created and the checkbox remains unticked
DNS is on external provider
That "hint link" next to "Use DKIM" is not in my mail settings. So how do I find this? I have Googled like crazy, but using the phrase "How to" gives the same page over and over with the exact same "solution". Would be nice if the "updated 21 days ago" would be accurate for more recent Plesk versions.
I stand corrected. I just now see that this is actually from 18.035 and I have 34. My apologies.
I enabled DKIM and got the record with the standard key like in this article :/
When I open the default file there is the real key (SSH)
I am little bit confused. Changed the dns record using the key in default file.
Now I have two records added
I use Cloudfare and have updated the records as:
Still get error when testing DKIM setup
This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: wrong tag at blib/lib/Crypt/OpenSSL/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/new_public_key.al) line 91
SpamAssassin Score: -4.699 Message is NOT marked as spam Points breakdown: -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [23.83.212.4 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [23.83.212.4 listed in list.dnswl.org] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not validThe same issue here like from Cem Sayar. DKIM key is not verified.
Please sign in to leave a comment.