Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
Outbound (outgoing) emails do not pass DKIM verification. The following can be found in source message on recipient side:
ARC-Authentication-Results: i=1;
dkim=fail -
Third party DKIM test services like http://dkimvalidator.com or https://www.mail-tester.com/ show the following in "Validating Signature" section:
result = fail
Details: bad RSA signature
Validating Signature
result = fail
Details: OpenSSL error: data too small for key size
Your DKIM signature is not valid
- The affected domain is using an external DNS zone (and external nameservers) as primary, instead of the DNS zone that resides on the side of your Plesk server
Cause
The TXT record for default._domainkey.example.com, which is set in Plesk > Domains > Mail > Mail Settings example.com > DNS Settings does not match with the current DNS TXT record that resides on the side of the primary DNS zone of the domain (or is missing entirely from the primary DNS zone of the domain):
# dig +short TXT default._domainkey.example.com @203.0.113.2
"v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQU111...
# dig +short TXT default._domainkey.example.com @8.8.8.8
"v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...
Resolution
Update (or create) the DNS TXT record default._domainkey.example.com on the side of the external primary DNS zone of the example.com domain by following these steps:
- Log into Plesk
- Retrieve the necessary value for the DNS TXT DKIM record at Domains > example.com >Mail > Mail Settings > How to configure external DNS
- Log into the dashboard of the external DNS provider for the domain
- Set the same DNS TXT DKIM record as shown in How to configure external DNS section for the domain within the primary external DNS Zone for the domain
Once this is done and the global domain propagation has taken place, outgoing emails from this domain will stop being rejected or returned.
Comments
Please sign in to leave a comment.