Plesk for Windows
Plesk for Linux
kb: how-to
ABT: Group A
Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to configure DKIM policy in Plesk?
Answer
After enabling DKIM for a domain, two DNS records are added at Domains > example.com > DNS Settings. A DNS TXT record "_domainkey.<example.com>" contains a DKIM policy which can be adjusted.
For example, the default policy "0=-" means that all emails from this domain will be signed with a DKIM signature. In order to configure DKIM policy, edit this DNS TXT record.
For more information about configuring DKIM settings, refer to DKIM.org.
Comments
7 comments
Where I can find "opendkim.conf"?
Hello @Karl May,
Thank you for your question.
If opendkim package is installed on the server, then the default location of opendkim.conf file is /etc/opendkim/opendkim.conf.
However, this package is not packed with Plesk, but libopendkim-2.11.0-0.1.el6.x86_64 is.
So the only way to configure DKIM policy is the one which is provided in the article.
Kuzma Ivanov Just a quick question / comment: What you describe here (and at https://docs.plesk.com/en-US/obsidian/administrator-guide/mail/antispam-tools/dkim-spf-and-dmarc-protection/dmarc.59433/#dkim) refers to the old Yahoo "Domain Keys" policy?!
To my knowledge this DNS record could / should be deleted as DKIM does not use any policies any more (that's what DMARC is meant for).
Hi b_p,
I haven't found any link to Yahoo pages, could you please explain what record is the one you suggest to be deleted and why?
Hi Francisco Roman Garcia Rodriguez I refer to the following record
_domainkey.<example.com> IN TXT "o=-"
This is the outbound signing policy used with the old "Domain Keys" and not its successor DKIM: http://knowledge.ondmarc.redsift.com/en/articles/1553839-domainkeys-policy-record
If you have a look at the current DKIM RFC, that record does not exist any more.
@b_p,
I'd recommend contacting our Support Team for assistance in case of any questions.
@b_p @Anzhelika Khapaknysh
I can confirm that enabling DKIM signing will add the depreciated signing policy DNS record. Plesk should correct this. The DKIM records are not listed under the DNS template settings, so it is not correctable by the Plesk Admin.
This means that Plesk's DKIM implementation is incorrect (bug?) as it seems they carried over the "signing policy" record from the previous "DomainKeys" system, that was a predecessor of DKIM, but is not a part of DKIM.
The devs should be notified. However, at the moment, it isn't causing mail deliverability trouble, as far as I know, it's just creating extraneous DNS records, that will eventually need to be removed for each domain.
Please sign in to leave a comment.