[SOLVED] dkim signing


May 20, 2020

here is the senario i want to solve.

we have internal servers that we want to sign.

the setup:

server 1 2 3 sends email via our PMG on internal port 587


we want to sign the domain.se but the domain.se is has email in office 365.

selector is wecon

so we setup a txt record with what we see in mail proxy DKIM view dns record.

and then we have sign domains and there we have domain.se and domain.net but the dkim signing gets failed. is this setup supported? we dont want to sign all emails comming from PMG as we have other clients use it to send email from our network.


server1,2,3 are webservers and some mail servers some windows some linux most uses there own code to send stuff like web forms from the website to the clients mailbox in the form of website@clientsdomain.com.

we want to sign these mails too if possible like the client adds the dkim record to there dns servers. is this config valid and supported?
Last edited:
server 1 2 3 sends email via our PMG on internal port 587
Just to have mentioned it - PMG does not support SMTPAUTH (since port 587 is most often used with SMTPAUTH)

Please share the logs of such a mail that fails DKIM signing - maybe then we can see where the issue is

forgot to add PVE the host only allows our public ips to talk to port 587

here is a output i see in PMG

2023-07-31T17:14:40.846613+02:00 smtpgwny postfix/smtpd[3018]: connect from unms.weconnect.se[]
2023-07-31T17:14:40.863982+02:00 smtpgwny postfix/smtpd[3018]: Anonymous TLS connection established from unms.weconnect.se[]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2023-07-31T17:14:40.872593+02:00 smtpgwny postfix/smtpd[3018]: D4FB12056E: client=unms.weconnect.se[]
2023-07-31T17:14:40.900173+02:00 smtpgwny postfix/cleanup[3021]: D4FB12056E: message-id=<0a953a10-7280-e0e8-1bf6-17f513f52dee@weconnect.se>
2023-07-31T17:14:40.982582+02:00 smtpgwny postfix/qmgr[705]: D4FB12056E: from=<unms@weconnect.se>, size=132354, nrcpt=1 (queue active)
2023-07-31T17:14:40.984035+02:00 smtpgwny postfix/smtpd[3018]: disconnect from unms.weconnect.se[] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 commands=6
2023-07-31T17:14:41.047024+02:00 smtpgwny pmg-smtp-filter[738]: 208FC64C7CFE106503: new mail message-id=<0a953a10-7280-e0e8-1bf6-17f513f52dee@weconnect.se>#012
2023-07-31T17:14:42.680816+02:00 smtpgwny pmg-smtp-filter[738]: 208FC64C7CFE106503: SA score=0/5 time=1.572 bayes=undefined autolearn=disabled hits=DMARC_PASS(-0.1),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_PASS(-0.001),T_KAM_HTML_FONT_INVALID(0.01),T_SCC_BODY_TEXT_LINE(-0.01)
2023-07-31T17:14:42.682793+02:00 smtpgwny postfix/smtpd[3027]: connect from localhost.localdomain[]
2023-07-31T17:14:42.684464+02:00 smtpgwny postfix/smtpd[3027]: A70DF20915: client=localhost.localdomain[], orig_client=unms.weconnect.se[]
2023-07-31T17:14:42.688771+02:00 smtpgwny postfix/cleanup[3021]: A70DF20915: message-id=<0a953a10-7280-e0e8-1bf6-17f513f52dee@weconnect.se>
2023-07-31T17:14:42.738435+02:00 smtpgwny postfix/qmgr[705]: A70DF20915: from=<unms@weconnect.se>, size=132566, nrcpt=1 (queue active)
2023-07-31T17:14:42.738600+02:00 smtpgwny postfix/smtpd[3027]: disconnect from localhost.localdomain[] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2023-07-31T17:14:42.738734+02:00 smtpgwny pmg-smtp-filter[738]: 208FC64C7CFE106503: accept mail to <redacted@weconnect.se> (A70DF20915) (rule: default-accept)
2023-07-31T17:14:42.741254+02:00 smtpgwny pmg-smtp-filter[738]: 208FC64C7CFE106503: processing time: 1.711 seconds (1.572, 0.059, 0)
2023-07-31T17:14:42.741684+02:00 smtpgwny postfix/lmtp[3022]: D4FB12056E: to=<redacted@weconnect.se>, relay=[]:10023, delay=1.9, delays=0.11/0/0.04/1.7, dsn=2.5.0, status=sent (250 2.5.0 OK (208FC64C7CFE106503))
2023-07-31T17:14:42.741780+02:00 smtpgwny postfix/qmgr[705]: D4FB12056E: removed
2023-07-31T17:14:42.987021+02:00 smtpgwny postfix/smtp[3028]: Trusted TLS connection established to weconnect-se.mail.protection.outlook.com[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2023-07-31T17:14:43.900681+02:00 smtpgwny postfix/smtp[3028]: A70DF20915: to=<redacted@weconnect.se>, relay=weconnect-se.mail.protection.outlook.com[]:25, delay=1.2, delays=0.05/0/0.27/0.89, dsn=2.6.0, status=sent (250 2.6.0 <0a953a10-7280-e0e8-1bf6-17f513f52dee@weconnect.se> [InternalId=45213120732257, Hostname=GVYP280MB0015.SWEP280.PROD.OUTLOOK.COM] 140694 bytes in 0.125, 1095.724 KB/sec Queued mail for delivery)
2023-07-31T17:14:43.901530+02:00 smtpgwny postfix/qmgr[705]: A70DF20915: removed

when we used mail-tester.com to test dkim signing it failed.
my first guess is that you need to add the DNS-TXT record in slightly different format
(PMG's output in the GUI orients itself on opendkim - afair this works with bind zonefiles - but with most DNS providers you need to edit it slightly
(remove the multiple split string and add it as one is one option I've seen)


Else - can you share the relevant part of you /etc/pmg/pmg.conf and /etc/pmg/dkim/domains

i have taken away the (" and "); at the end of the output in view dns record as we are using plesk that is using bind9 in the backend.

will report back if it works or not.
see the output of the mxtoolbox link I pasted above - you probably also should remove the quotes in the middle ...

(once the mxtoolbox link says that the record is correct - further tests with mails might work)

i got it to work here are my findings and how i got to getting it to work

we use plesk as DNS host witch uses bind9 as backend so it adds alot of stuff behind the hood.

the orginal output from PMG in my case is

wecon._domainkey    IN    TXT    ( "v=DKIM1; h=sha256; k=rsa; "
      "1Vqgf39rcO5W/Nc5zsA73hrqC1kKYlieq9G9mHz83XYXh4nXXVhdKcJJ4Qkm3Aip/f3koRXIjbb31a4eSu1Oj4u7xat4UsgKazic4b50ZczmyOMXjn3pk0HQERRoLMcdzwTpVtXQIDAQAB" )  ; ----- DKIM key wecon

first i tried was combining k" "1Vqgf3 into one string like so k1Vqgf3 did not work then i took away the ( " ");
like this

wecon._domainkey    IN    TXT    v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkBHJFqU/IlAOaJ18mgDkdje09dw03BFipm/BSeXA46SaDLblOUqBQ7GDjeYzMQx7UJChy0c8hdtm/1EI/HE3QBVcsDUHMM2X97sD1cHZRhvlT3cGfp6wzKaYXvIj9CTgFwY/Q/VuLlj+lGLQOqXCq0LBFMu0bAVvXnSv1TqSwVYKrye3iH1JIsMM/lDYj1jfU5ecY1yt6SVqk1Vqgf39rcO5W/Nc5zsA73hrqC1kKYlieq9G9mHz83XYXh4nXXVhdKcJJ4Qkm3Aip/f3koRXIjbb31a4eSu1Oj4u7xat4UsgKazic4b50ZczmyOMXjn3pk0HQERRoLMcdzwTpVtXQIDAQAB

still did not work.

what i did then was removing all the " from the output like this

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkBHJFqU/IlAOaJ18mgDkdje09dw03BFipm/BSeXA46SaDLblOUqBQ7GDjeYzMQx7UJChy0c8hdtm/1EI/HE3QBVcsDUHMM2X97sD1cHZRhvlT3cGfp6wzKaYXvIj9CTgFwY/Q/VuLlj+lGLQOqXCq0LBFMu0bAVvXnSv1TqSwVYKrye3iH1JIsMM/lDYj1jfU5ecY1yt6SVqk1Vqgf39rcO5W/Nc5zsA73hrqC1kKYlieq9G9mHz83XYXh4nXXVhdKcJJ4Qkm3Aip/f3koRXIjbb31a4eSu1Oj4u7xat4UsgKazic4b50ZczmyOMXjn3pk0HQERRoLMcdzwTpVtXQIDAQAB

as plesk adds the " in the begining of the txt record and the end.

how it should look like in a normal bind9 config i dont know but i think it should be someting like this

wecon._domainkey    IN    TXT    "v=DKIM1; h=sha256; k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkBHJFqU/IlAOaJ18mgDkdje09dw03BFipm/BSeXA46SaDLblOUqBQ7GDjeYzMQx7UJChy0c8hdtm/1EI/HE3QBVcsDUHMM2X97sD1cHZRhvlT3cGfp6wzKaYXvIj9CTgFwY/Q/VuLlj+lGLQOqXCq0LBFMu0bAVvXnSv1TqSwVYKrye3iH1JIsMM/lDYj1jfU5ecY1yt6SVqk1Vqgf39rcO5W/Nc5zsA73hrqC1kKYlieq9G9mHz83XYXh4nXXVhdKcJJ4Qkm3Aip/f3koRXIjbb31a4eSu1Oj4u7xat4UsgKazic4b50ZczmyOMXjn3pk0HQERRoLMcdzwTpVtXQIDAQAB"

As we are moving away from standalone bind9 to plesk i cant test if the above record works.

i hope this helps someone that has a issue with how to implement DKIM in PMG :)
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!