Proxmox doesn't have all the required details in their documentation for properly configuring DKIM signing. Here is how I got it configured and working correctly:
1. Create a new DKIM record for your primary domain here:
https://easydmarc.com/tools/dkim-record-generator. You will be provided with a DNS record, public and private key. Keep this page open!
2. Be sure to create the DKIM record in your DNS for that domain using the appropriate selector
3. In Proxmox Mail Gateway, navigate to Configuration > Mail Proxy > DKIM
4. In the Settings area, click the Selector row and then the Edit button
5. Enter the name of the selector you just created in the record generator tool. Ex. relay (do not include the ._domainkey portion of the record!)
6. Choose a key size of 2048 and tick the Overwrite existing file
7. Click update
8. Now SSH to the master Proxmox host
9. Change to /etc/pmg/dkim folder
10. Edit the file named relay.private (the file will be named in the format [selector].private
11. Empty the file and paste the private key into provided in step 1 into the file and save the changes
12. The file only needs permissions of 0600
13. DO NOT change this file unless you generate a new DKIM record!!!!
14. Add the SAME DKIM record to each domain that for which you want the gateway to sign outbound messages. This key will have the same selector name and same content for every domain that your gateway signs!
15. Once you save the private key, it will get replicated to other hosts in the cluster.
16. Now your outbound relayed domains will be DKIM signed and will validate so long as the DKIM records exist in DNS for the domain.
If you change the DKIM record on your main domain, you will need to change the record on EVERY domain that your gateway is signing to match.
Also make sure you SPF records are correct so DKIM is used correctly.