The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

451 DKIM Signature validation has failed

Discussion in 'E-mail Discussions' started by Zoop, Feb 15, 2016.

  1. Zoop

    Zoop Member

    Joined:
    Feb 15, 2016
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Dear Cpanel Forum,

    We're posting on this forum since we are getting really frustrated with getting DKIM to work properly. So far, it seems, our settings and configuration is all correct, it passes the proper tests (maybe suggestions for additional tests?), yet we keep getting this bounce message with a certain server. We have no issues with services like GMail or Hotmail (these are usually the more strict ones).

    We've attached an authentication report on a testmail, and the 'queued'-message we're getting from a specific host. Does anyone have a suggestion what we should be looking at? Or dismiss it as "the other party is having problems"?

    Thanks in advance!

    I already removed all references to the other service (as its not our own info), all other information is related to my own cpanel service, i figured that be good enough, all info in this attachment can be easily found by anyone ... ah well, re-attached it with everything omitted.
     

    Attached Files:

    #1 Zoop, Feb 15, 2016
    Last edited by a moderator: Feb 15, 2016
    Infopro likes this.
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Have you changed your DKIM ever on the domain in question? Since DKIM relies upon a DNS TXT record, that DNS TXT record can be cached on remote nameservers. So it's possible that the mailserver that keeps rejecting your emails based upon failing DKIM signature may be relying upon nameservers that have cached/stale DNS records. Of course, unless you know the company that operates that mailserver and are able to engage them, you probably won't be able to do anything about it.

    If it's working fine according to the "big" providers, I wouldn't worry about it and would place the blame on the operators of the remote mail system.

    It's a shame that you [and I and most others who are smart] have to redact all of the important information that could be used to provide further help. I understand why you do it, and I do the same thing. It just makes providing suggestions more difficult.

    Mike
     
    Zoop likes this.
  3. Zoop

    Zoop Member

    Joined:
    Feb 15, 2016
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi Mike,

    I was thinking somewhere along those lines, what if their DNS profiles update really slow? That could explain some things, but the problem popped up for a client of ours (who claims to have missed sales because of mails not delivering and demands we fix it). We needed a new extra server anyway, because our current is reaching the maximum clients we are willing to host on a single server. We configured the server from scratch, new IP's, certificate and even a domain we haven't used before, hopefully not having to worry about any caches ...

    But our configuration may not have been 100% the first time we tried it, if it got cached on that first attempt, we're stuck in the same situation again.

    Ive attempted to contact the hosting provider of the other party (which I found by tracing the email) and contacted them about it. As expected, they wouldn't listen to me at all as i'm not a customer of theirs. They need a customer id to be able to do anything. They refused to forward my questions/observations to their admins. That was kinda my last resort, as everything seems to be fine on our side. Hence I made this post.

    So as it is now, cache is most probably to blame, hopefully this will restore over time.
    If anyone else has any other suggestions, I'd love to hear them!

    Anyway thanks Mike, for your input.
     
    mtindor likes this.
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can try editing the DNS zone (e.g. remove/add a test record) to see if an updated zone forces the remote server to obtain updated results.

    Thank you.
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You're welcome. Sorry I couldn't help more. I'd chalk it up to the remote end having people who don't know what their doing or who don't care what is happening. That kind of stuff you describe the other party being noncooperative really irritate the hell out of me. Companies that play like that don't deserve to exist :)

    Mike
     
    Infopro likes this.
  6. Zoop

    Zoop Member

    Joined:
    Feb 15, 2016
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Alright, managed to get it to mail to the domains it wouldn't before.

    In the DKIM key, halfway through there is a closing " a space and an opening " for the string to continue.
    The tests (and pretty much every other service we tried) has no trouble with this, but apparently this can cause problems on some servers, so the DKIM key gets ignored and specified as missing or unsigned.

    We finally found out about this because on of the other hosting companies was kind enough to send a log on what happens on their side when our mail gets rejected, which showed that it thought the DKIM was incorrect (because of the " " bit in it).

    We adjusted the key, removing the extra quotes and space, and its been working like a charm ever since.

    This key was supplied by CPanel and directly copy pasted into the DNS entry. CPanel might want tot take a look at that as it produces apparently incorrect keys that might get rejected by some services.

    Anyway, I'm glad we managed to get it fixed. Thanks everyone for your time.
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Thank you for sharing this. This is something cPanel needs to pay attention to. I'm pretty sure i said something about the way they split up the DKIM record in the past ( My new DKIM is in another format than I expected? ), but they didnt chime in one way or another so I just assumed they don't care. Maybe your report will change their mind about doing it that way.

    I have never gotten a report from a customer about nondelivery because of the way the DKIM TXT record existed in DNS, but that certainly doesn't mean it hasn't happened. I wish my customers were a little bit more vocal sometime. I'm tempted to go look in my mail logs for such behavior. Most of my customers likely aren't using 2048-bit keys at this time though, so they wouldn't have that problem.

    Mike
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Here's a staff response you may find helpful. It's from a support ticket where a user is having an issue pasting the TXT record into their PowerDNS control panel:

    Thank you.
     
  9. Zoop

    Zoop Member

    Joined:
    Feb 15, 2016
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi Micheal,

    Thing is, there is no problem at all using or inserting the record. It's being used without trouble, but a few servers don't seem to accept it when mailing to them (and only becomes apparent after a period of time when mails start to fail on delivery). Whether it's a bug on their side or not is irrelevant when a customer is complaining they can't e-mail their contacts ;)

    In that case it would be better to be safe than sorry, and not use these kind of formatting. Apparently not everyone on this planet is following the same rules.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Is this happening when the DNS is handled by the cPanel server, or only when the DNS record is handled by a third-party DNS provider?

    Thank you.
     
  11. Zoop

    Zoop Member

    Joined:
    Feb 15, 2016
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Third party, while letting CPanel generate the key and literally copy-pasting it into the third party controlpanel. Most servers (including hotmail, gmail) have no problem with it, but several smaller individual providers think the key is invalid.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The method of entering the entry at your remote DNS hosting provider can vary, depending on who your provider is. There's a thread on this, including what steps we are taking to help make this an easier task, at:

    How to Enter DKIM record into DNS Zone

    Thank you.
     
Loading...

Share This Page