Install DKIM and DMARC on Plesk 12.5

Now a days mail is an unavoidable part of life. How ever the misuse of mail also increasing day by day. Spaming, Spoofing etc. There are many way which can drag you into trouble with your mailbox.

To stop such invalid sender, few new authentication protocol (like SPF, DomainKey) has been started, but it is not enough to stop spammer.

DKIM and DMARC add an extra layer of authentication using an encrypted algorithm.

Recipient mail-server can verify the DKIM signature by recovering the sender’s public key through DNS. It then uses that key to decrypt the hash value in the email’s header and simultaneously recalculate the hash value for the mail message it received.

Unfortunately, Plesk control panel user can not take advantage of this. Till Plesk 12.5, it use old DomainKey, SPF authentication mechanism. Outlook, Exchange server does not like it at all.

Plesk will add DKIM support on upcoming Plesk 17 Onyx.

Understand, what about Plesk 12.x user ?

Don’t worry, follow the tutorial, you will learn, how to install DKIM and DMARC on Plesk 12.5

First of all I want to thanks to Ilija Matoski for his beautiful demonstration.

My test environment

OS : CenetOS 7
Plesk : 12.5#43
Postfix version : 2.11

Step 1

Install opendkim and add it to system startup script

# yum install opendkim
# chkconfig opendkim on

Step 2

Turn on SPF and DomainKey on the Plesk

Go to Plesk Panel > Tools & settings > Mail Server Settings

Enable DomainKey signature for outgoing mail

Plesk Panel > Domains > Mail Settings > Use DomainKeys spam protection system to sign outgoing email messages

Step 3

Generate DKIM key

Add the domain directory. The domain directory contain public and private key.

# mkdir /etc/opendkim/keys/cos701.tld

Generate the keys

cd /etc/opendkim/keys/cos701.tld
opendkim-genkey -d cos701.tld -s mail
chown -Rv opendkim:opendkim /etc/opendkim/keys/cos701.tld
chmod -v u=rw,go-rwx *

Verify the keys

[root@pp1253 plesk-dkim]# ll /etc/opendkim/keys/cos701.tld/
total 8
-rw------- 1 opendkim opendkim 891 Aug 13 07:37 mail.private
-rw------- 1 opendkim opendkim 308 Aug 13 07:37 mail.txt

Domains are ready

The DNS value for DKIM is stored in the file /etc/opendkim/keys/cos701.tld/mail.txt

[root@pp1253 plesk-dkim]# cat /etc/opendkim/keys/cos701.tld/mail.txt
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC64dnB87OrRTm7FhcVxcof4TJJKJBsTYvmR718dAbUZRFg1/8KtgZHgt/dnmGM+stn8rkEykJzzPWEvajM4YM737vD1yQBlR6ZXyYg4w5WQzgQDJvGfKjmURl5Mq8cuasLw6skVUjO6XmfgxeoB6gt+aai7d4Iq3wawRqT8nsV0QIDAQAB" ) ; ----- DKIM key mail for cos701.tld

Step 4

Add the value to the DNS “Plesk Panel > Domains > cos701.tld > DNS settings”

Additionally, add the following value for DMARC support

_dmarc.cos701.tld.    TXT    v=DMARC1; p=quarantine; pct=100; rua=mailto:postmaster@cos701.tld

Step 5

Configure openDKIM

Add the following value to the ‘/etc/opendkim/TrustedHosts’ file.

127.0.0.1
localhost
123.123.123.123
cos701.tld
ns1.cos701.tld
ns2.cos701.tld
mail.cos01.tld

Add the following value to the ‘/etc/opendkim/SigningTable’. ‘SigningTable’ file is used to list the domains along with their key file path.

# KeyID Domain:Selector:PathToPrivateKey
cos701.tld cos701.tld:mail:/etc/opendkim/keys/myserverplace.de/mail.private

Add the following value to ‘/etc/opendkim/TrustedHosts’. It will list the top trusted hosts as you desire.

@cos701.tld cos701.tld

We need to edit the configuration file to configure DKIM, open /etc/opendkim.conf with your favorite editor and add the following lines to the end of the file

# cp /etc/opendkim.conf{.-bak}

Put the following value to the file

PidFile /var/run/opendkim/opendkim.pid
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
Canonicalization relaxed/relaxed
Selector default
MinimumKeyBits 1024
KeyFile /etc/opendkim/keys/default.private
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
SignatureAlgorithm rsa-sha256
AutoRestart Yes
SignHeaders From,Sender,To,CC,Subject,Message-Id,Date
OversignHeaders From,Sender,To,CC,Subject,Message-Id,Date

Step 6

OpenDKIM is properly setup, let’s move on and configure the Postfix.

Open /etc/postfix/main.cf with your favorite editor, and modify the following lines

milter_default_action = accept
milter_protocol = 6
smtpd_milters = , inet:127.0.0.1:8891, inet:127.0.0.1:12768
non_smtpd_milters = $smtpd_milters

Postfix also ready

service postfix restart

Step 7

For verification, send mail to the following mail address, you will get instant reply with the result

check-auth@verifier.port25.com
AAAA3QcKCQwA@appmaildev.com

The result should be similar like this

==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

Congratulation! you have successfully installed the DKIM on Plesk. It is very great full to me if this tutorial ‘Install DKIM and DMARC on Plesk 12.5’ helpful to you.