DKIM Is not Working in Hestia


I am having trouble setting up DMARC and DKIM on my email.

My Settings

DMARC TXT (Record) _dmarc.domain (Host) v=DMARC1; p=none; pct=100 (Value)

DKIM TXT (Record) mail._domainkey.doamin (Host) v=DKIM1; k=rsa; p=(public key) (Value)

I have DKIM and DMARC checked in the mail settings.

What I’ve tried so far

  • MX tools shows DMARC as not set up and MX tools email evaluator is showing as DKIM not working.

  • nslookup -type=txt mail._domainkey.domain / ERROR ** server can’t find mail._domainkey.domain: NXDOMAIN

  • Setup pem pub keys in exim, setup pub key information in value under DKIM field.

Set an email to receive notifications and change the pct to 10% so you can test without having all your traffic rejected

DKIM should work out of the box

The only difference I see with my records is “p=quarantine” in “_dmarc”. In addition there is another text record called “_domainkey” and with the value “t=y; o=~;”.

It didn’t create any txt record in the DNS or public key, I had to manually do it myself.

Completely remove Mail Domain (warning: this will remove any mailboxes that you may have) and create it again, making sure you check the checkbox DKIM This will create the relevant entries in DNS, provided of course that the Hestia server is an authoritative Name Server for your domain.

My DNS is hosted on a 3rd party. However, I tested what you said to do with a fresh install. I added a Mail Domain with DKIM checked and it did not create the record in the DNS. I have all the basic records including DMARC and SPF, but no DKIM.

Not sure if it will help you debug or not. This is a script I wrote to help me set up DKIM on external DNS.

if [ -z "$1" ]
      echo "Call script with USER DOMAIN arguments. Here are the mail domains on this server."
      for USER in $( v-list-users plain | awk '{print $1}' )
	COUNTMAIL=$(v-list-mail-domains $USER plain | awk '{print $1}' | wc -l )
	if [[ "$COUNTMAIL" -gt "0" ]]; then
        for MDOMAIN in $( v-list-mail-domains $USER plain | awk '{print "  " $1}' )
      	  DKIMSTATE=$(dig txt +short mail._domainkey.$MDOMAIN)
	  if [[ "$DKIMSTATE" == "" ]] ; then 
	echo -e "\t $USER \t\t $MDOMAIN \t\t $STATEMESSAGE"


echo "Current record (dig +short txt mail._domainkey.$2)"
dig +short txt mail._domainkey.$2

echo ""
echo "Check that the TXT record for mail._domainkey.$2 is:"
v-list-mail-domain-dkim $1 $2 \
 | sed '1,/BEGIN PUBLIC KEY/d' | sed '/END PUBLIC KEY/d' \
 | tr -d '\n' | sed 's/.*/"v=DKIM1; k=rsa; p=&"\n/'


No warranty. Use at your own risk. It was something I did for my own use.

Thanks. It’s similar to how I manually set up DKIM on the server.

@Felix But it still doesn’t answer as to why a fresh install wouldn’t setup DKIM accordingly, no record or key (from what I can see) so its odd.