DMARC move

Discussion in 'ISPConfig 3 Priority Support' started by jpcyrenne, Oct 26, 2020.

  1. jpcyrenne

    jpcyrenne Member HowtoForge Supporter

    Good day,
    I will most probably install a (Ubuntu 20.04.1 LTS (Focal Fossa)) ISPConfig 3.2 setup.

    I'm a bit new to DMARC and I'm wondering if I can set up a second server and import the DMARC config/key from a Plesk server to an ISPConfig? I need this to go very smooth and I'd like to test the new server before I transfer the A Records and MX. (I can add the new IP in TXT v=spf1)

    I also have the migration tool, would this help? (just for emails. The sites are going on another server)


  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Hi JP,

    Do you mean the DKIM key?
    If so, iirc it should be imported from Plesk when using the migration tool.
    @Croydon might be able to confirm that.

    Have you already ran a dry run with the migration to see if it works without any errors?
    You can find a how-to for the migration tool here:
  3. jpcyrenne

    jpcyrenne Member HowtoForge Supporter

    I have used the Migration tool in the past but from older ISPConfig to ISPconfig 3.1 (so far). Will be my 1st migration to 3.2 from Plesk. I only need to migrate the emails.

    I am inquiring about DMARC (Domain-based Message Authentication) because I see a TXT Record int hte present DNS (
    From reading, I understand that this is Reporting and Conformance (DMARC) that ties the SPF and DKIM ( most probably) protocols together with a consistent set of policies.

    I will need to have the same key for DKIM then.

    Can I set up DKIM with ISPConfig and then copy a key/file over manually?)

    This is all in preparation. I'll set up the new server and see what the challenges really are.

    Not sure how I can test it?
    add the IP in the new server IP in the TXT v=spf1... (allow it to be a sender for the domain)
    migrate the mails with the Migration tool (how to make sure the DKIM followed on the server)
    send a test mail to a service? (from the new server - webmail)

    I need to make sure it's all perfect before i change the MX record.
    Can I have 2 entries? Say it's default2., can I change this somewhere in ISPConfig or cmd line?

    I don't do this often as you can see. Thanks for the help.


  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    DMARC tells receiving servers your policy on what to do when the SPF and/or DKIM check fail. I think you should be able to migrate the existing keys from Plesk. You can double check this after migration by sending a test email to a service like from the new server. If it's not migrated or you want to generate new keys, you can simply do that from the UI by opening the domain settings in the email module.

    You can have 2 keys, you can call it anything you like: default, new, etc.

    If you need any further help with the migration, let us know :)
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    When you move your mail domain to another server (eg. plesk->ispc) you don't need to copy the old DKIM signing key, it's normal that the new system will use a new key to sign with. What you do want to do is copy the DNS record corresponding to the old selector and keep that around in DNS for a while.
    Yes, the old server and the new server each can/will normally use a different selector, and you just keep both of them in DNS on your new system.

    How? Due to limitations/bug in ISPConfig, it's ugly if you already have your domain live in ISPConfig, see - you don't, though, so all you need to do is setup DNS in ISPConfig for the domain first, and add the DKIM record copied from your plesk system (use the same selector name as in plesk) before you add it as an Email domain; once you add it as an email domain, you can only manage the DKIM record using the settings on the Email > Domain page.
    Th0m likes this.
  6. jpcyrenne

    jpcyrenne Member HowtoForge Supporter

    Thanks to both for your answers. I'll set it up this week and get back with some feedback.

    I'm reassured that I can have 2 keys. It's on Cloudflare DNS, so I,ll set un the 2nd server, add the second server SPF and DKIM TXT entries and test.

    Might play witn another domain to test first?

    Th0m likes this.
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Testing is always a good idea ;)
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Just one further point on your migration, some time after you move, after any DKIM checks have been made, you'll want to stop publishing the old DNS record. If you leave it published, then the old DKIM signing key under the plesk server can still sign mail from your domain, which is probably not a real high priority threat for many but it certainly is for those sensitive to phishing, and just good to be thorough in general.
    Th0m likes this.

Share This Page