cPanel DKIM Keys Not Compatible with IIS

Operating System & Version
CENTOS 7.7
cPanel & WHM Version
86.0.8

PostAlmostAnything

Well-Known Member
Mar 3, 2020
70
1
8
Portland, Oregon
cPanel Access Level
Website Owner
I have a network of websites hosted on a IIS server that use an external Linux server with cPanel for email. The reason it is setup like this is because my Windows hosting company would not configure rDNS without a data center change, I already had a Linux server for a PBN anyway, and I prefer cPanel to hMailServer. It works great except for one problem. Whenever I install the cPanel DKIM key on the IIS server it does not work.

The error I get from various DKIM checking tools such as Mail Tester is something along the lines of not being able to retrieve the key length, the length being invalid, or too long. I had this problem when installing DKIM keys for use with hMailServer whenever the key I generator at Spark Post was set to 2048 bits. When I changed it to 1024 bits the keys it generated worked just fine.

This brings me to my current situation:
- Does cPanel generate 2048 bit keys or 1024 bit keys?
- Can cPanel generate 1024 bit keys instead of 2048 bit keys and if so, how can I do that?
- Can I install a Spark Post key in cPanel and use it instead of the one generated by cPanel?
- Can 2048 bit keys be enabled on IIS?
 

Attachments

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,295
313
Houston
Hello,

- Does cPanel generate 2048 bit keys or 1024 bit keys?
Mail Tester shouldn't have a problem with cPanel's DKIM keys which are indeed using 2048, we split them automatically if they're too long. I'm using a 2048-bit key and not able to replicate an issue with mail-tester.

Screenshot at Mar 04 11-25-31.png


































- Can cPanel generate 1024 bit keys instead of 2048 bit keys and if so, how can I do that?
We only generate the 2048-bit keys, you are welcome to create your own DKIM key but that shouldn't need to be done at this point.

- Can I install a Spark Post key in cPanel and use it instead of the one generated by cPanel?
You can, though again this shouldn't be necessary, the record should be split automatically in the event it's too long which should be recognized everywhere. SparkPost does generate 2048-bit keys as well DKIM Wizard

Domain Keys for DKIM are stored in /var/cpanel/domain_keys/

- Can 2048 bit keys be enabled on IIS?
IIS is the web server, which wouldn't really have anything to do with DKIM afaik - what you'd want to see is if your windows server supports this with the DNS Server it's using, do you happen to know what that is? In most cases it's a role that's added in Server Manager. I'd wager the issue is the length of the record not the key size. In instances like that you'd need to use the split format for the record which can be done within email deliverability.
 

PostAlmostAnything

Well-Known Member
Mar 3, 2020
70
1
8
Portland, Oregon
cPanel Access Level
Website Owner
Hello,



Mail Tester shouldn't have a problem with cPanel's DKIM keys which are indeed using 2048, we split them automatically if they're too long. I'm using a 2048-bit key and not able to replicate an issue with mail-tester.

View attachment 63877



































We only generate the 2048-bit keys, you are welcome to create your own DKIM key but that shouldn't need to be done at this point.


You can, though again this shouldn't be necessary, the record should be split automatically in the event it's too long which should be recognized everywhere. SparkPost does generate 2048-bit keys as well DKIM Wizard

Domain Keys for DKIM are stored in /var/cpanel/domain_keys/


IIS is the web server, which wouldn't really have anything to do with DKIM afaik - what you'd want to see is if your windows server supports this with the DNS Server it's using, do you happen to know what that is? In most cases it's a role that's added in Server Manager. I'd wager the issue is the length of the record not the key size. In instances like that you'd need to use the split format for the record which can be done within email deliverability.
Right, I should have said Windows Server 2016 DNS Server NOT IIS.
 

PostAlmostAnything

Well-Known Member
Mar 3, 2020
70
1
8
Portland, Oregon
cPanel Access Level
Website Owner
Here is link to what I used on this forum. I just logged into WHM and acessed the terminal. Then I used the methods decribed in this tread to set my min key size to 2024, delete to old keys, and generate new ones.


The news keys work just fine with Windows Server 2016 DNS and I can now use cPanel for my email instead of hMailServer.
 

PostAlmostAnything

Well-Known Member
Mar 3, 2020
70
1
8
Portland, Oregon
cPanel Access Level
Website Owner
Great, now when I e-bomb my users I get this:

End of Recipients
Message Sent
End of Inner Exceptions
End of Failed Recipients
Smtp Exception: ServiceNotAvailable
Smtp Error Message: Service not available, closing transmission channel. The server response was: too many messages in this connection
Smtp Exception: ServiceNotAvailable
Smtp Error Message: Service not available, closing transmission channel. The server response was: too many messages in this connection
Smtp Exception: ServiceNotAvailable
Smtp Error Message: Service not available, closing transmission channel. The server response was: too many messages in this connection
End of Smtp Exceptions
End of Exceptions


I tired changing the maximum emails per domain per hour from 500 to unlimited but still got the same error.