DKIM check keeps failing

[WilbertNL]

Hi all,

I've seen and read a lot of posts regarding this issue, but for the life of me, I still can't get it to work.

Authentication generates a raw DKIM record which is immediately reflected in my DNS records:

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxutyDFPRD999pi1VVQtl5IvidPlqSKuPOCHW5CHOzyzDc/pn2Qc7dgNF1a2/r89jnWn/a8CWNCBt/5xGOy2a57jf2jfv78gFWWubuXMr1oOmaHBx81W2w0bTqzBlRcnsobaOQ6+EgNz0Cm2mQU/LCSFjM/7B2UMn59uoSxU48hz87OI5X76X2coT04VtJfgC/" CVyhZ7R4TJKaBv6bcART2fYS8Dus/l4iQ4QbrNgV4iDk24vQ8sEY8M3taNBqyr4IqftH9QvUH73fzoge7/4KpA2VgMaYM/sxqA9G/7gqyzkTHAEu6Qv5udd0C3yhGcerrFGM69PK9lqUJesj1chXwIDAQAB\;

However, when I do a SPF & DKIM check, using mail-tester.com e.g., a SPF record is found, but the DKIM check fails (my real domain is replaced by mydomain):

No DNS record found for default._domainkey.mydomain.nl

When I remove the second part of the key (with zone editor in WHM), the part without the quotations, so that the TXT reflects:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxutyDFPRD999pi1VVQtl5IvidPlqSKuPOCHW5CHOzyzDc/pn2Qc7dgNF1a2/r89jnWn/a8CWNCBt/5xGOy2a57jf2jfv78gFWWubuXMr1oOmaHBx81W2w0bTqzBlRcnsobaOQ6+EgNz0Cm2mQU/LCSFjM/7B2UMn59uoSxU48hz87OI5X76X2coT04VtJfgC/"

I do get a result with the DKIM check:

DNS record for default._domainkey.mydomain.nl: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxutyDFPRD999pi1VVQtl5IvidPlqSKuPOCHW5CHOzyzDc/pn2Qc7dgNF1a2/r89jnWn/a8CWNCBt/5xGOy2a57jf2jfv78gFWWubuXMr1oOmaHBx81W2w0bTqzBlRcnsobaOQ6+EgNz0Cm2mQU/LCSFjM/7B2UMn59uoSxU48hz87OI5X76X2coT04VtJfgC/"

Although the split that cPanel generates looks by design, for some reason it is not properly recognized by the various DKIM checkers, nor by a nslookup/dig.

Any help would be greatly appreciated!

Thanks,
Wilbert.

 

[cPanelMichael]

Hello,

This seems like an issue with the website you are using to test the DKIM record. Have you tried using another testing website, such as Port25?

Thank you.

 

[WilbertNL]

Hi Michael,

Thanks for your suggestion. I'll test it in a bit and report back shortly.

Cheers,
Wilbert

 

[WilbertNL]

Port25 comes back with:

DKIM check:         permerror
..
Result:         permerror (key "default._domainkey.mydomain.nl" doesn't exist)
...
DNS record(s):
    default._domainkey.mydomain.nl. TXT (NXDOMAIN)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

nslookup on a google server:

> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> default._domainkey.mydomain.nl
Server:     8.8.8.8
Address:   8.8.8.8#53

** server can't find default._domainkey.mydomain.nl: NXDOMAIN

> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> tragepcweersnel.nl
Server:     8.8.8.8
Address:   8.8.8.8#53

Non-authoritative answer:
mydomain.nl   text = "v=spf1 +a +mx +ip4:95.211.20.171 ~all"

nslookup on the authoritative server:

> server my.hostingprovider.eu
Default server: my.hostingprovider.eu
Address: xx.xx.xx.xx#53
> default._domainkey.mydomain.nl
;; Truncated, retrying in TCP mode.
Server:     my.hostingprovider.eu
Address:   xx.xx.xx.xx#53

default._domainkey.mydomain.nl   text = "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwcH1IDBj/Uzpnm0HKLXdlTIlEeTxY/+GL7gjB79zM6Z/0x7/SgUJmxqc/grbRxusUPlKn8+Of4Q0b0LVASt/zdQebYDZRM3t6UVZdQtFl7zohmz9YH41ZTdQJwSCkLF5Y9BXvoCpc0G8n6TXfsAy31OuOxlT7P1LEJTM2TaPNemDT5Q1UAfFGOb/uV8NxRbGs" "9TUVIPHbObXi9v+1MT4niH/fg9Y+8wjOS7WZ+lK8pIAC7qEQp+QKW31pFhAeuMc/v6j8NpjderNjqxvEkkW9SgIVnvrhZNF/SBk0oMlyfmEK5UB2AjH0QI6JGJ+O2z3v6Ykr4DlZqqHslVJSTeOKQIDAQAB\;"
> mydomain.nl
Server:     my.hostingprovider.eu
Address:   xx.xx.xx.xx#53

mydomain.nl   text = "v=spf1 +a +mx +ip4:xx.xx.xx.xx ~all"

Does this help at all?

Thanks!

 

[cPanelMichael]

Hello,

Please let us know if the following thread is helpful, as it looks like a similar issue:

DKIM check: permerror; How to set up DKIM properly?

Thank you.

 

[WilbertNL]

Hello Michael,

Thanks for your reply.

I did see that thread earlier, but my nameserver is a local server that should be accessible for edits. Although SPF says:

Status: Enabled (DNS Check Passed) Active (DNS Check Passed)

DKIM complains when the automatically generated string is added to DNS:

Status: Enabled
Warning: cPanel is unable to verify that this server is an authoritative nameserver for “mydomain.nl”.

So why does SPF passes the check and DKIM doesn't?

As stated before, as soon as I enable DKIM in Authentication, the changes are immediately reflected in the DNS zone, so imho it actually does have access to edit the zone.

The other day I did see that DKIM also passed the DNS check, but that was after I manually "malformed" the p-key by removing the latter part of the key. Which obviously does not resolve the issue, but is a bit mysterious as to why the DNS check passes then. I will check to see if I can reproduce this.

In the mean time, suggestions are very welcome! I'm encountering serious issues with clients unable to receive my e-mails. Especially outlook live seems extremely picky: mails sent to e.g. gmail arrive just fine, in outlook live they're not received at all, not even as spam.

Thanks in advance,
Wilbert.

 

[WilbertNL]

On a side-note: my hostingprovider is all but willing to help me resolve this issue. According to them I should move to a "professional" hosted mail, like hosted exchange. Which is ridiculous and doesn't help me at all with mails sent directly from the website since they are also processed by the same mailserver that uses the mentioned DKIM. I hope you can appreciate that I need to turn to you to have this issue resolved.

 

[ruzbehraja]

Your domain DNS is controlled by the cPanel server alone?

mail-tester.com works fine for all the domains that I have setup, so I doubt it is related to that.

Also note that sometimes these tools cache the DNS settings which may give incorrect results.

 

[WilbertNL]

Hi Ruzbehraja,

Thanks for your input!

As far as I'm aware DNS is controlled by cPanel alone, that is: all configuration of DNS is done using cPanel or WHM.

With regards to your cache comment, I disabled and then enabled DKIM on when I wrote:

Hi Michael,

Thanks for your suggestion. I'll test it in a bit and report back shortly.

Cheers,
Wilbert

and tested with port25 34 hours later on Sunday 25th. I would assume caching would not be an issue. Besides, almost as soon as I disable DKIM and run the test, DKIM gets a "Neutral" status in the port25 report. So caching doesn't seem to be an issue anyway.

Please keep your suggestions coming!

Cheers,
Wilbert.

 

[ruzbehraja]

for some reason it is not properly recognized by the various DKIM checkers, nor by a nslookup/dig.

What is the output of

dig default._domainkey.domainname.com txt

If you change the Nameservers and put the same DKIM key into an external DNS server does it work?

You could try that out. You could try it with CloudFlare or any other free DNS provider.

See: DKIM recipe with 3rd party / external DNS

 

[WilbertNL]

Hi,

Thanks for your suggestion. Sorry for the late reply, dmn holidays ;-)

I noticed it went better if I disabled DKIM (read somewhere that no DKIM is better than a bad DKIM) so I've just re-enabled it in order to generate the dig results.

With regards to testing it on a other nameserver: well, to be honest, I'd rather not. If that works, than it only shows that CP has an issue. If it doesn't work, than it still shows CP has an issue since it is the string generated by CP. Or is my thinking flawed?

Dig report will follow shortly.

Cheers,
Wilbert.

 

[cPanelMichael]

Hello,

I recommend reaching out to your web hosting provider for additional assistance if you don't have root access to the server. They should be able to determine why the correct record isn't populated and detected in the zone file for the domain name.

Thank you.

 

[WilbertNL]

dig output:

; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> default._domainkey.mydomain.nl txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;default._domainkey.mydomain.nl. IN TXT

;; AUTHORITY SECTION:
mydomain.nl.   144   IN   SOA   ns1.myhosting.eu. myname.myotheremaildomain.nl. 2016102518 3600 7200 1209600 86400

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Oct 25 23:23:49 CEST 2016
;; MSG SIZE  rcvd: 136

So basically, it does not reflect any DKIM record, just like I've experienced so far. Again, why I malform the string on purpose, same record, same DNS server, it does show up:

; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> default._domainkey.mydomain.nl txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6366
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;default._domainkey.mydomain.nl. IN TXT

;; ANSWER SECTION:
default._domainkey.mydomain.nl. 86121 IN   TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbF7qeeve99lIm+TJqdjNZY7c2amCNUdl+B2p8KTkLTLEnm/eXpzCgUvIoBHGEdkEIrFNV4YnFDiOIKrQs0+ZlQ6gGIYjVLKNkO7UryeSexQet1fBs0CPHb53zFkoQKdkv3CW0Wj5aKAc4KzS8ghxRBwGa7axe/8LiUimPhMD46VoIHIxC3qB6eaFB6Gab9vm"

;; AUTHORITY SECTION:
.       23659   IN   NS   k.root-servers.net.
.       23659   IN   NS   i.root-servers.net.
.       23659   IN   NS   m.root-servers.net.
.       23659   IN   NS   h.root-servers.net.
.       23659   IN   NS   c.root-servers.net.
.       23659   IN   NS   l.root-servers.net.
.       23659   IN   NS   j.root-servers.net.
.       23659   IN   NS   e.root-servers.net.
.       23659   IN   NS   f.root-servers.net.
.       23659   IN   NS   b.root-servers.net.
.       23659   IN   NS   d.root-servers.net.
.       23659   IN   NS   a.root-servers.net.
.       23659   IN   NS   g.root-servers.net.

;; ADDITIONAL SECTION:
E.ROOT-SERVERS.net.   2649   IN   AAAA   2001:500:a8::e
G.ROOT-SERVERS.net.   24946   IN   AAAA   2001:500:12::d0d

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Oct 25 23:37:21 CEST 2016
;; MSG SIZE  rcvd: 618

So, again, the original record reads as follows and shows no result in dig:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6RNi98sPyc5ld+++jHym+V4/eSMU/IWL9UNmfCUd+P8XI8MSJyeLGzFbSex5MGOxtVWGgzUvAQ2BFukZNkyJCXXp4GYWeKbLuCCpcrSAa6B2rOvdZ+8APpm48YZUf/DwCGUi1z0TJ90CEyIAOo5CCufbkuSRqVdmi5NQv/jWBpu6tGoU3yg+MvX4MnjOzODkd" uPf2vfrUYGzIE75EHvY/CFtS1Mn338T5NnjxxVRfqeH66qZW0PWHgKDu3L7ZNyfqpHvr/23SVNGjOkVht84L0LtVMMdqPQ/XDdLmalobc8pK2Y/SsCHDzpPbR+q5S3aiJYwG01nXCiR9uljjE0PrQIDAQAB\;

And when I "malform" the record by cutting off the 'p=' after the end-quotes, it reads as follows and shows a result with dig:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbF7qeeve99lIm+TJqdjNZY7c2amCNUdl+B2p8KTkLTLEnm/eXpzCgUvIoBHGEdkEIrFNV4YnFDiOIKrQs0+ZlQ6gGIYjVLKNkO7UryeSexQet1fBs0CPHb53zFkoQKdkv3CW0Wj5aKAc4KzS8ghxRBwGa7axe/8LiUimPhMD46VoIHIxC3qB6eaFB6Gab9vm"

Please guys, I don't mean to be rude, but given this information it shouldn't be that hard to figure out what goes wrong right? IMHO the original string is formatted in such a way that the DNS server itself/dig/nslookup/3rd party checker does not even recognize the TXT as such, when as I remove the part after the end-quotes it does. Needless to say that I end up with an error then, since the key is not complete.

Perhaps I need to reformat the original string manually? I've tried several way of reformatting, but so far yielded no results.

Looking forward to suggestions and/or questions!

 

[WilbertNL]

Hi Michael,

As stated before, my provider is a, d.., no let's say: unwilling service provider. They say I should go for hosted exchange or something like that. Now, they don't even respond to mails on this subject anymore, very professional. Since I have a couple of sites hosted on their platform, you can imagine that I'm quite upset with this kind of attitude.

Still hope someone here is able to help..

 

[cPanelMichael]

Hello,

The default records created in cPanel for DKIM are working correctly when attempting to reproduce this on a test machine. Have you verified the default record actually causes issues with email delivery, as opposed to the manual checks using dig or third-party email checking utilities? If so, we'd need access to the affected system in order to investigate what's happening. You may want to ask your provider to open a support ticket with us so we can take a closer look, or consider switching to another provider that's more responsive to your support requests.

Thank you.

 

[WilbertNL]

Hello Michael,

Thanks.

The end-result is e.g. that mail ends up in spam very often, or in the case of Hotmail is not received at all.

I've used mail-tester.com to verify the spamminess of my mails and most (content, pictures, SPF, DMARC, etc.) looks good. See attachments. So I have to conclude that my DKIM record is the culprit. If you have any other ideas on how to figure out why my mails are not received at all by Hotmail (outlook.com) or end up in SPAM at other mail providers I'm looking forward to reading them.



Too bad that you can't offer the easy fix I was hoping for. As stated before, if I need this to be sorted by my provider then I'm out of luck. Their last reply was "Sorry, can't help you." Their efforts on troubleshooting is disabling/enabling DKIM.

If you have any suggestions that I could try to remedy this, I'd be very happy to try them.

Cheers,
Wilbert.

 

[cPanelMichael]

Hello,

You could try reaching out the individual mail providers to see if they can let you know why it's detected as SPAM. For instance, Hotmail offers a page here that includes a link to contact their support team:

Troubleshooting

Thank you.