451 DKIM Signature validation has failed

Zoop

Member
Feb 15, 2016
13
2
3
Netherlands
cPanel Access Level
Root Administrator
Dear Cpanel Forum,

We're posting on this forum since we are getting really frustrated with getting DKIM to work properly. So far, it seems, our settings and configuration is all correct, it passes the proper tests (maybe suggestions for additional tests?), yet we keep getting this bounce message with a certain server. We have no issues with services like GMail or Hotmail (these are usually the more strict ones).

We've attached an authentication report on a testmail, and the 'queued'-message we're getting from a specific host. Does anyone have a suggestion what we should be looking at? Or dismiss it as "the other party is having problems"?

Thanks in advance!

I already removed all references to the other service (as its not our own info), all other information is related to my own cpanel service, i figured that be good enough, all info in this attachment can be easily found by anyone ... ah well, re-attached it with everything omitted.
 

Attachments

Last edited by a moderator:
  • Like
Reactions: Infopro

mtindor

Well-Known Member
Sep 14, 2004
1,454
110
193
inside a catfish
cPanel Access Level
Root Administrator
Have you changed your DKIM ever on the domain in question? Since DKIM relies upon a DNS TXT record, that DNS TXT record can be cached on remote nameservers. So it's possible that the mailserver that keeps rejecting your emails based upon failing DKIM signature may be relying upon nameservers that have cached/stale DNS records. Of course, unless you know the company that operates that mailserver and are able to engage them, you probably won't be able to do anything about it.

If it's working fine according to the "big" providers, I wouldn't worry about it and would place the blame on the operators of the remote mail system.

It's a shame that you [and I and most others who are smart] have to redact all of the important information that could be used to provide further help. I understand why you do it, and I do the same thing. It just makes providing suggestions more difficult.

Mike
 
  • Like
Reactions: Zoop

Zoop

Member
Feb 15, 2016
13
2
3
Netherlands
cPanel Access Level
Root Administrator
Hi Mike,

I was thinking somewhere along those lines, what if their DNS profiles update really slow? That could explain some things, but the problem popped up for a client of ours (who claims to have missed sales because of mails not delivering and demands we fix it). We needed a new extra server anyway, because our current is reaching the maximum clients we are willing to host on a single server. We configured the server from scratch, new IP's, certificate and even a domain we haven't used before, hopefully not having to worry about any caches ...

But our configuration may not have been 100% the first time we tried it, if it got cached on that first attempt, we're stuck in the same situation again.

Ive attempted to contact the hosting provider of the other party (which I found by tracing the email) and contacted them about it. As expected, they wouldn't listen to me at all as i'm not a customer of theirs. They need a customer id to be able to do anything. They refused to forward my questions/observations to their admins. That was kinda my last resort, as everything seems to be fine on our side. Hence I made this post.

So as it is now, cache is most probably to blame, hopefully this will restore over time.
If anyone else has any other suggestions, I'd love to hear them!

Anyway thanks Mike, for your input.
 
  • Like
Reactions: mtindor

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

You can try editing the DNS zone (e.g. remove/add a test record) to see if an updated zone forces the remote server to obtain updated results.

Thank you.
 

mtindor

Well-Known Member
Sep 14, 2004
1,454
110
193
inside a catfish
cPanel Access Level
Root Administrator
Anyway thanks Mike, for your input.
You're welcome. Sorry I couldn't help more. I'd chalk it up to the remote end having people who don't know what their doing or who don't care what is happening. That kind of stuff you describe the other party being noncooperative really irritate the hell out of me. Companies that play like that don't deserve to exist :)

Mike
 
  • Like
Reactions: Infopro

Zoop

Member
Feb 15, 2016
13
2
3
Netherlands
cPanel Access Level
Root Administrator
Alright, managed to get it to mail to the domains it wouldn't before.

In the DKIM key, halfway through there is a closing " a space and an opening " for the string to continue.
The tests (and pretty much every other service we tried) has no trouble with this, but apparently this can cause problems on some servers, so the DKIM key gets ignored and specified as missing or unsigned.

We finally found out about this because on of the other hosting companies was kind enough to send a log on what happens on their side when our mail gets rejected, which showed that it thought the DKIM was incorrect (because of the " " bit in it).

We adjusted the key, removing the extra quotes and space, and its been working like a charm ever since.

This key was supplied by CPanel and directly copy pasted into the DNS entry. CPanel might want tot take a look at that as it produces apparently incorrect keys that might get rejected by some services.

Anyway, I'm glad we managed to get it fixed. Thanks everyone for your time.
 

mtindor

Well-Known Member
Sep 14, 2004
1,454
110
193
inside a catfish
cPanel Access Level
Root Administrator
Alright, managed to get it to mail to the domains it wouldn't before.

In the DKIM key, halfway through there is a closing " a space and an opening " for the string to continue.
The tests (and pretty much every other service we tried) has no trouble with this, but apparently this can cause problems on some servers, so the DKIM key gets ignored and specified as missing or unsigned.

We finally found out about this because on of the other hosting companies was kind enough to send a log on what happens on their side when our mail gets rejected, which showed that it thought the DKIM was incorrect (because of the " " bit in it).

We adjusted the key, removing the extra quotes and space, and its been working like a charm ever since.

This key was supplied by CPanel and directly copy pasted into the DNS entry. CPanel might want tot take a look at that as it produces apparently incorrect keys that might get rejected by some services.

Anyway, I'm glad we managed to get it fixed. Thanks everyone for your time.
Thank you for sharing this. This is something cPanel needs to pay attention to. I'm pretty sure i said something about the way they split up the DKIM record in the past ( My new DKIM is in another format than I expected? ), but they didnt chime in one way or another so I just assumed they don't care. Maybe your report will change their mind about doing it that way.

I have never gotten a report from a customer about nondelivery because of the way the DKIM TXT record existed in DNS, but that certainly doesn't mean it hasn't happened. I wish my customers were a little bit more vocal sometime. I'm tempted to go look in my mail logs for such behavior. Most of my customers likely aren't using 2048-bit keys at this time though, so they wouldn't have that problem.

Mike
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Here's a staff response you may find helpful. It's from a support ticket where a user is having an issue pasting the TXT record into their PowerDNS control panel:

RFC 1035 defines the zone file format. It defines the RDATA of a TXT record as “One or more <character-string>s.” A <character-string> is “expressed in one or two ways: as a contiguous set of characters without interior spaces, or as a string beginning with a "
and ending with a ". Inside a " delimited string any character can occur, except for a " itself, which must be quoted using \ (back slash)” (§ 5.1). It then goes on to describe escape formats.

As a consequence, this appears to be a validly constructed record and PowerDNS has a bug if it is being rejected.
Thank you.
 

Zoop

Member
Feb 15, 2016
13
2
3
Netherlands
cPanel Access Level
Root Administrator
Hi Micheal,

Thing is, there is no problem at all using or inserting the record. It's being used without trouble, but a few servers don't seem to accept it when mailing to them (and only becomes apparent after a period of time when mails start to fail on delivery). Whether it's a bug on their side or not is irrelevant when a customer is complaining they can't e-mail their contacts ;)

In that case it would be better to be safe than sorry, and not use these kind of formatting. Apparently not everyone on this planet is following the same rules.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Thing is, there is no problem at all using or inserting the record. It's being used without trouble, but a few servers don't seem to accept it when mailing to them (and only becomes apparent after a period of time when mails start to fail on delivery). Whether it's a bug on their side or not is irrelevant when a customer is complaining they can't e-mail their contacts
Is this happening when the DNS is handled by the cPanel server, or only when the DNS record is handled by a third-party DNS provider?

Thank you.
 

Zoop

Member
Feb 15, 2016
13
2
3
Netherlands
cPanel Access Level
Root Administrator
Third party, while letting CPanel generate the key and literally copy-pasting it into the third party controlpanel. Most servers (including hotmail, gmail) have no problem with it, but several smaller individual providers think the key is invalid.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
The method of entering the entry at your remote DNS hosting provider can vary, depending on who your provider is. There's a thread on this, including what steps we are taking to help make this an easier task, at:

How to Enter DKIM record into DNS Zone

Thank you.