DKIM using external .PEM file


I have to configure DKIM on NS7 but I must use an externally generated .PEM file.
I went to email settings screen and find the button to DKIM (should be easy to find, inside the configure screen and not outside! But that’s a CX option)

But once I enable it, it show a NEW DKIM, and I wanna to use a previously existent one.
See this:

I COULD enable it and later change… if I got some help to assure me I can disable DKIM later if something went wrong.

This is a production server 4.000km away from me!!!

Any tips?
(Andy is helping me about vacancy message and DKIM was a cause… so I have done same question on that thread…sorry!)

Hi @jader

DKIM can be enabled - and also disabled, if it doesn’t work!

But as always - before making a change, have a working backup!!!

My 2 cents

1 Like

OK. Thank you Andy

But how can I change the PEM file ?
Once I have enabled it , it show a self generated key.
I already have one, so I need to replace self generated PEM file with my own PEM file.
How to do it?

AFAIK, you can disable it on the GUI (3 dots?)…

1 Like

and how to change the PEM file it use to sign messages?

If DKIM is deactivated, it doesn’t include a signature.
You can, AFAIK, reacitivate DKIM and then have the option to create a new DKIM signature / key.

Make a config backup before doing this…
Or even a full backup first. You can implement the DKIM change right after the full backup.
Here is one of the great advantages of virtualization: A snapshot and Backup to PBS (Proxmox Backup Server) will save your Back in a critical situation.

If it fails, restoring the config should work.

My 2 cents

1 Like

Hi Andy
I have 2 domains : domain.tld and hostname.domain.tld
I start testing because here is before 6am so I can afford enable/disable things.

I enabled DKIM and went to CLI. found the /etc/opendkim directory and found several utils there.
I replace the defaults.private file content with old PEM file (the old pem file has public and private so I keep just private key on default.private) and restarted opendkim service with systemctl
I even tested the new config with:
[root@agulhao keys]# /usr/sbin/opendkim-testkey -d -k ./default.private -s default -x /etc/opendkim.conf
opendkim-testkey: ./default.private: WARNING: unsafe permissions

But I still cannot get good answer from GUI about DKIM.
I still can find where change DKIM PEM file on GUI.
I still have problems with DKIM

BTW: It’s a normal config to have 2 domains (domain.tld and hostname.domain.tld) ??

1 Like

ohh… wait… something changed…
I think something else update by himself… I just got ok for my DKIM test on NS7 GUI.
I went to and it’s fine.
I just document this on other threadd (about vacancy message and will post here too…sorry double post but I prefer the other find it in 2 place instead of save 120bytes of disk space)

Thank you by your support.


I’ll document here and later try to edit WIKI about it.
If you wanna to have DKIM using an OLD PEM file, you can try enabling it using the three dots at right of each domain.
My config has 2 domains configurated: domain.tld and hostname.domain.tld
I change domain.tld only. Don’t worry, you can disable it if it do not work.

After choose option Configure DKIM, I saved it even the DKIM key is not what I wanna to use (private is not show, but public is shown to update/create TXT record on DNS)

So I went to CLI to replace it.
I went into /etc/opendkim and on default.private I put the old DKIM private key (my .PEM file has the public and private key, I removed the public part!)
and restarted the opendkim service: systemctl restart opendkim
after a few minutes tested it on NS7 GUI and reported as ok for DKIM so I went to site and verify it!
I got a 10/10 (even my message miss a HTML version or my reverse DNS is not ok)
Now I’ll fix those problems.

FINAL RESULT: My vacancy message IS WORKING NOW!!


Hi @jader

Great you got it working, and if gives you a 10/10, you won’t have issues sending mail to “tough” places, eg Gmail, Apple & others are known to be “fussy” about mail, DNS and associated settings.

My 2 cents

Hi @Andy_Wismer

Thank you by your continued support.
I’ve created an wiki account and updated info about DKIM and how to test them.
I also removed an useless section (double how to test it pointing to a 404 link smtp2go or something like that) and updated with info about use of external generated/already existing DKIM pem file.

1 Like


Linux is Open Source, has always been, will always remain so.

My helping here is part of all this, including your documenting and improving stuff.

My Motto:

Don’t bitch about Open Source.
If you can, help!
Not everyone’s a coder,
some are good documenters,
others again find bugs in unexpected places.
Everyone can contribute!


My 2 cents