Plesk DKIM

DKIM protection

DomainKeys Identified Mail (DKIM) & #8222; provides a method for validating the identity of a domain name associated with a message using encryption authentication. & #8220; (

To support DKIM, Plesk uses the features of an external library (Linux) or the mail server (Windows) used in Plesk. The following mail server requirements apply:

  • Postfix, Qmail, SmarterMal, IceWarp, MailEnable Professional, All modern versions.
  • MailEnable standard, From version 9.16.

Support for DKIM policies in Plesk is enhanced by support for other policies: SPF and DMARC. For more information, see below in this section Use SPF and DMARC for outbound emails, In addition, SRS is used in Plesk, so forwarded messages can pass the SPF check. For more information, see below in this section Using SRS.

Important: DKIM validation only works for real domains that use the Plesk DNS server. It will not work if you use an external DNS service, as Plesk needs to be able to add DKIM-related DNS zone entries to a domain.


Enable DKIM on the server

You can activate the DKIM function on your server by clicking Tools & Settings > Mail Server Settings go (in the group e-mail) and to the section DKIM protection scroll. The following options allow you to manage DKIM on your server:

  • Outgoing e-mails may be signed, This allows customers to individually activate the signing of outgoing emails using DKIM for each domain. Signing outgoing e-mail messages is not automatically activated. To use DKIM, users must enable DKIM for each domain.
  • Check incoming e-mail messages (Plesk for Linux). This option enables you to enable the DKIM check for all incoming e-mail. All messages are checked and marked with the special header in case of a negative result.

Note that the options can be selected independently. You can enable signing outgoing emails, checking incoming email, or both at the same time.


Enable DKIM after a Plesk upgrade

If you upgrade from versions prior to Plesk Onyx, DomainKeys will automatically be replaced by DKIM. If the DomainKeys feature was enabled in Plesk, DKIM will also be activated.


Activate the e-mail signature by DKIM for a domain

To enable DKIM to sign outgoing emails for a single domain, open the appropriate subscription for management purposes and do the following:

  1. Go to the tab e-mail > E-mail settings.
  2. Choose Use the DKIM spam protection system to sign outgoing e-mail messages and click OK.

Note: The DKIM signature only works for domains that use the Plesk DNS server. The DNS service must be enabled on the domain.

After you enable DKIM for a domain, Plesk adds the following two records to the DNS zone of the domain:

  • Default._domainkey. 

    : Contains the public part of the generated key

  • _ domainkey. 

    : Contains the DKIM Directive


Use SPF and DMARC for outbound emails

In addition to DKIM, Plesk also supports SPF and DMARC outbound policies. Both are based on the rules set in the sender's DNS zone.

SPF (Sender Policy Framework) is a method that validates the identity of the domain of the Envelope Sender via path-based authentication.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a technology that extends the sender control policy SPF and DKIM. The DMARC policy defines how the recipient should handle e-mail messages, depending on the results of the DKIM and SPF checks. In Plesk, a DMARC-related DNS entry has the general policy that messages should not be deleted, even if the verification failed. However, you can set a stricter policy. Note, however, that the receiving server may have its own incoming e-mail policies.

For DNS records with SPF and DMARC default policies, see server-wide DNS template from Plesk. In contrast, DNS records with DKIM are added to DNS zones of individual domains when you enable DKIM for the domain.

To set up a custom DMARC or SPF policy:

Go to Tools & Settings > DNS template and edit the DNS records for the SPF or DMARC policy. These DNS records are always in server-wide DNS template available. Plesk's DMARC default policy is defined in this entry:

<code>_dmarc. <domain>. code> TXT v=DMARC1; p=none

Hosting customers can edit the policies for individual domains.

For more information about DMARC and SPF, including policy names, see the following links:


Using SRS

Support some mail servers in Plesk SRS (Sender Rewriting Scheme). This is a method of rewriting the sender address of an e-mail so that e-mail forwarding works in spite of SPF. With SRS you can make sure that the messages are delivered.

To provide SRS functionality, Plesk uses the functions of an external library (Linux) or mail server software (Windows). The following mail server requirements apply:

  • Postfix, SmarterMal, IceWarp, All modern versions.
  • MailEnable Standard and MailEnable Professional, SRS is not supported. Plesk uses its own functions to forward automatic reply messages from an e-mail user.
  • qmail, SRS is not supported.

SRS is used automatically when messages are forwarded from Plesk-hosted mailboxes.

de_DEDeutsch en_USEnglish
Scroll to Top