The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DKIM check keeps failing

Discussion in 'E-mail Discussions' started by WilbertNL, Sep 17, 2016.

Tags:
  1. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Hi all,

    I've seen and read a lot of posts regarding this issue, but for the life of me, I still can't get it to work.

    Authentication generates a raw DKIM record which is immediately reflected in my DNS records:
    Code:
    default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxutyDFPRD999pi1VVQtl5IvidPlqSKuPOCHW5CHOzyzDc/pn2Qc7dgNF1a2/r89jnWn/a8CWNCBt/5xGOy2a57jf2jfv78gFWWubuXMr1oOmaHBx81W2w0bTqzBlRcnsobaOQ6+EgNz0Cm2mQU/LCSFjM/7B2UMn59uoSxU48hz87OI5X76X2coT04VtJfgC/" CVyhZ7R4TJKaBv6bcART2fYS8Dus/l4iQ4QbrNgV4iDk24vQ8sEY8M3taNBqyr4IqftH9QvUH73fzoge7/4KpA2VgMaYM/sxqA9G/7gqyzkTHAEu6Qv5udd0C3yhGcerrFGM69PK9lqUJesj1chXwIDAQAB\;
    However, when I do a SPF & DKIM check, using mail-tester.com e.g., a SPF record is found, but the DKIM check fails (my real domain is replaced by mydomain):

    Code:
    No DNS record found for default._domainkey.mydomain.nl
    
    When I remove the second part of the key (with zone editor in WHM), the part without the quotations, so that the TXT reflects:

    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxutyDFPRD999pi1VVQtl5IvidPlqSKuPOCHW5CHOzyzDc/pn2Qc7dgNF1a2/r89jnWn/a8CWNCBt/5xGOy2a57jf2jfv78gFWWubuXMr1oOmaHBx81W2w0bTqzBlRcnsobaOQ6+EgNz0Cm2mQU/LCSFjM/7B2UMn59uoSxU48hz87OI5X76X2coT04VtJfgC/"
    
    I do get a result with the DKIM check:

    Code:
     
    DNS record for default._domainkey.mydomain.nl: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxutyDFPRD999pi1VVQtl5IvidPlqSKuPOCHW5CHOzyzDc/pn2Qc7dgNF1a2/r89jnWn/a8CWNCBt/5xGOy2a57jf2jfv78gFWWubuXMr1oOmaHBx81W2w0bTqzBlRcnsobaOQ6+EgNz0Cm2mQU/LCSFjM/7B2UMn59uoSxU48hz87OI5X76X2coT04VtJfgC/"
    
    Although the split that cPanel generates looks by design, for some reason it is not properly recognized by the various DKIM checkers, nor by a nslookup/dig.

    Any help would be greatly appreciated!

    Thanks,
    Wilbert.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,833
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This seems like an issue with the website you are using to test the DKIM record. Have you tried using another testing website, such as Port25?

    Thank you.
     
  3. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Hi Michael,

    Thanks for your suggestion. I'll test it in a bit and report back shortly.

    Cheers,
    Wilbert
     
  4. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Port25 comes back with:
    Code:
    DKIM check:         permerror
    ..
    Result:         permerror (key "default._domainkey.mydomain.nl" doesn't exist)
    ...
    DNS record(s):
        default._domainkey.mydomain.nl. TXT (NXDOMAIN)
    
    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions.  If you are using Port25's PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.
    
    nslookup on a google server:
    Code:
    > server 8.8.8.8
    Default server: 8.8.8.8
    Address: 8.8.8.8#53
    > default._domainkey.mydomain.nl
    Server:     8.8.8.8
    Address:   8.8.8.8#53
    
    ** server can't find default._domainkey.mydomain.nl: NXDOMAIN
    
    > server 8.8.8.8
    Default server: 8.8.8.8
    Address: 8.8.8.8#53
    > tragepcweersnel.nl
    Server:     8.8.8.8
    Address:   8.8.8.8#53
    
    Non-authoritative answer:
    mydomain.nl   text = "v=spf1 +a +mx +ip4:95.211.20.171 ~all"
    
    nslookup on the authoritative server:
    Code:
    > server my.hostingprovider.eu
    Default server: my.hostingprovider.eu
    Address: xx.xx.xx.xx#53
    > default._domainkey.mydomain.nl
    ;; Truncated, retrying in TCP mode.
    Server:     my.hostingprovider.eu
    Address:   xx.xx.xx.xx#53
    
    default._domainkey.mydomain.nl   text = "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwcH1IDBj/Uzpnm0HKLXdlTIlEeTxY/+GL7gjB79zM6Z/0x7/SgUJmxqc/grbRxusUPlKn8+Of4Q0b0LVASt/zdQebYDZRM3t6UVZdQtFl7zohmz9YH41ZTdQJwSCkLF5Y9BXvoCpc0G8n6TXfsAy31OuOxlT7P1LEJTM2TaPNemDT5Q1UAfFGOb/uV8NxRbGs" "9TUVIPHbObXi9v+1MT4niH/fg9Y+8wjOS7WZ+lK8pIAC7qEQp+QKW31pFhAeuMc/v6j8NpjderNjqxvEkkW9SgIVnvrhZNF/SBk0oMlyfmEK5UB2AjH0QI6JGJ+O2z3v6Ykr4DlZqqHslVJSTeOKQIDAQAB\;"
    > mydomain.nl
    Server:     my.hostingprovider.eu
    Address:   xx.xx.xx.xx#53
    
    mydomain.nl   text = "v=spf1 +a +mx +ip4:xx.xx.xx.xx ~all"
    
    Does this help at all?

    Thanks!
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,833
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Hello Michael,

    Thanks for your reply.

    I did see that thread earlier, but my nameserver is a local server that should be accessible for edits. Although SPF says:
    Code:
    Status: Enabled (DNS Check Passed) Active (DNS Check Passed)
    
    DKIM complains when the automatically generated string is added to DNS:
    Code:
    Status: Enabled
    Warning: cPanel is unable to verify that this server is an authoritative nameserver for “mydomain.nl”.
    
    So why does SPF passes the check and DKIM doesn't?

    As stated before, as soon as I enable DKIM in Authentication, the changes are immediately reflected in the DNS zone, so imho it actually does have access to edit the zone.

    The other day I did see that DKIM also passed the DNS check, but that was after I manually "malformed" the p-key by removing the latter part of the key. Which obviously does not resolve the issue, but is a bit mysterious as to why the DNS check passes then. I will check to see if I can reproduce this.

    In the mean time, suggestions are very welcome! I'm encountering serious issues with clients unable to receive my e-mails. Especially outlook live seems extremely picky: mails sent to e.g. gmail arrive just fine, in outlook live they're not received at all, not even as spam.

    Thanks in advance,
    Wilbert.
     
  7. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    On a side-note: my hostingprovider is all but willing to help me resolve this issue. According to them I should move to a "professional" hosted mail, like hosted exchange. Which is ridiculous and doesn't help me at all with mails sent directly from the website since they are also processed by the same mailserver that uses the mentioned DKIM. I hope you can appreciate that I need to turn to you to have this issue resolved.
     
  8. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Your domain DNS is controlled by the cPanel server alone?

    mail-tester.com works fine for all the domains that I have setup, so I doubt it is related to that.

    Also note that sometimes these tools cache the DNS settings which may give incorrect results.
     
  9. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Hi Ruzbehraja,

    Thanks for your input!

    As far as I'm aware DNS is controlled by cPanel alone, that is: all configuration of DNS is done using cPanel or WHM.

    With regards to your cache comment, I disabled and then enabled DKIM on when I wrote:
    and tested with port25 34 hours later on Sunday 25th. I would assume caching would not be an issue. Besides, almost as soon as I disable DKIM and run the test, DKIM gets a "Neutral" status in the port25 report. So caching doesn't seem to be an issue anyway.

    Please keep your suggestions coming!

    Cheers,
    Wilbert.
     
  10. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    What is the output of

    Code:
    dig default._domainkey.domainname.com txt



    If you change the Nameservers and put the same DKIM key into an external DNS server does it work?

    You could try that out. You could try it with CloudFlare or any other free DNS provider.

    See: DKIM recipe with 3rd party / external DNS
     
    cPanelMichael likes this.
  11. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Hi,

    Thanks for your suggestion. Sorry for the late reply, dmn holidays ;-)

    I noticed it went better if I disabled DKIM (read somewhere that no DKIM is better than a bad DKIM) so I've just re-enabled it in order to generate the dig results.

    With regards to testing it on a other nameserver: well, to be honest, I'd rather not. If that works, than it only shows that CP has an issue. If it doesn't work, than it still shows CP has an issue since it is the string generated by CP. Or is my thinking flawed?

    Dig report will follow shortly.

    Cheers,
    Wilbert.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,833
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I recommend reaching out to your web hosting provider for additional assistance if you don't have root access to the server. They should be able to determine why the correct record isn't populated and detected in the zone file for the domain name.

    Thank you.
     
  13. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    dig output:
    Code:
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> default._domainkey.mydomain.nl txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28223
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;default._domainkey.mydomain.nl. IN TXT
    
    ;; AUTHORITY SECTION:
    mydomain.nl.   144   IN   SOA   ns1.myhosting.eu. myname.myotheremaildomain.nl. 2016102518 3600 7200 1209600 86400
    
    ;; Query time: 1 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Tue Oct 25 23:23:49 CEST 2016
    ;; MSG SIZE  rcvd: 136
    
    So basically, it does not reflect any DKIM record, just like I've experienced so far. Again, why I malform the string on purpose, same record, same DNS server, it does show up:

    Code:
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> default._domainkey.mydomain.nl txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6366
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;default._domainkey.mydomain.nl. IN TXT
    
    ;; ANSWER SECTION:
    default._domainkey.mydomain.nl. 86121 IN   TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbF7qeeve99lIm+TJqdjNZY7c2amCNUdl+B2p8KTkLTLEnm/eXpzCgUvIoBHGEdkEIrFNV4YnFDiOIKrQs0+ZlQ6gGIYjVLKNkO7UryeSexQet1fBs0CPHb53zFkoQKdkv3CW0Wj5aKAc4KzS8ghxRBwGa7axe/8LiUimPhMD46VoIHIxC3qB6eaFB6Gab9vm"
    
    ;; AUTHORITY SECTION:
    .       23659   IN   NS   k.root-servers.net.
    .       23659   IN   NS   i.root-servers.net.
    .       23659   IN   NS   m.root-servers.net.
    .       23659   IN   NS   h.root-servers.net.
    .       23659   IN   NS   c.root-servers.net.
    .       23659   IN   NS   l.root-servers.net.
    .       23659   IN   NS   j.root-servers.net.
    .       23659   IN   NS   e.root-servers.net.
    .       23659   IN   NS   f.root-servers.net.
    .       23659   IN   NS   b.root-servers.net.
    .       23659   IN   NS   d.root-servers.net.
    .       23659   IN   NS   a.root-servers.net.
    .       23659   IN   NS   g.root-servers.net.
    
    ;; ADDITIONAL SECTION:
    E.ROOT-SERVERS.net.   2649   IN   AAAA   2001:500:a8::e
    G.ROOT-SERVERS.net.   24946   IN   AAAA   2001:500:12::d0d
    
    ;; Query time: 1 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Tue Oct 25 23:37:21 CEST 2016
    ;; MSG SIZE  rcvd: 618
    
    So, again, the original record reads as follows and shows no result in dig:
    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6RNi98sPyc5ld+++jHym+V4/eSMU/IWL9UNmfCUd+P8XI8MSJyeLGzFbSex5MGOxtVWGgzUvAQ2BFukZNkyJCXXp4GYWeKbLuCCpcrSAa6B2rOvdZ+8APpm48YZUf/DwCGUi1z0TJ90CEyIAOo5CCufbkuSRqVdmi5NQv/jWBpu6tGoU3yg+MvX4MnjOzODkd" uPf2vfrUYGzIE75EHvY/CFtS1Mn338T5NnjxxVRfqeH66qZW0PWHgKDu3L7ZNyfqpHvr/23SVNGjOkVht84L0LtVMMdqPQ/XDdLmalobc8pK2Y/SsCHDzpPbR+q5S3aiJYwG01nXCiR9uljjE0PrQIDAQAB\;
    
    
    And when I "malform" the record by cutting off the 'p=' after the end-quotes, it reads as follows and shows a result with dig:
    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbF7qeeve99lIm+TJqdjNZY7c2amCNUdl+B2p8KTkLTLEnm/eXpzCgUvIoBHGEdkEIrFNV4YnFDiOIKrQs0+ZlQ6gGIYjVLKNkO7UryeSexQet1fBs0CPHb53zFkoQKdkv3CW0Wj5aKAc4KzS8ghxRBwGa7axe/8LiUimPhMD46VoIHIxC3qB6eaFB6Gab9vm"
    
    Please guys, I don't mean to be rude, but given this information it shouldn't be that hard to figure out what goes wrong right? IMHO the original string is formatted in such a way that the DNS server itself/dig/nslookup/3rd party checker does not even recognize the TXT as such, when as I remove the part after the end-quotes it does. Needless to say that I end up with an error then, since the key is not complete.

    Perhaps I need to reformat the original string manually? I've tried several way of reformatting, but so far yielded no results.

    Looking forward to suggestions and/or questions!
     
    #13 WilbertNL, Oct 25, 2016
    Last edited: Oct 25, 2016
  14. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Hi Michael,

    As stated before, my provider is a, d.., no let's say: unwilling service provider. They say I should go for hosted exchange or something like that. Now, they don't even respond to mails on this subject anymore, very professional. Since I have a couple of sites hosted on their platform, you can imagine that I'm quite upset with this kind of attitude.

    Still hope someone here is able to help..
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,833
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The default records created in cPanel for DKIM are working correctly when attempting to reproduce this on a test machine. Have you verified the default record actually causes issues with email delivery, as opposed to the manual checks using dig or third-party email checking utilities? If so, we'd need access to the affected system in order to investigate what's happening. You may want to ask your provider to open a support ticket with us so we can take a closer look, or consider switching to another provider that's more responsive to your support requests.

    Thank you.
     
  16. WilbertNL

    WilbertNL Member

    Joined:
    Sep 17, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    Reseller Owner
    Hello Michael,

    Thanks.

    The end-result is e.g. that mail ends up in spam very often, or in the case of Hotmail is not received at all.

    I've used mail-tester.com to verify the spamminess of my mails and most (content, pictures, SPF, DMARC, etc.) looks good. See attachments. So I have to conclude that my DKIM record is the culprit. If you have any other ideas on how to figure out why my mails are not received at all by Hotmail (outlook.com) or end up in SPAM at other mail providers I'm looking forward to reading them.

    Selection_999(656).jpg Selection_999(657).jpg

    Too bad that you can't offer the easy fix I was hoping for. As stated before, if I need this to be sorted by my provider then I'm out of luck. Their last reply was "Sorry, can't help you." Their efforts on troubleshooting is disabling/enabling DKIM.

    If you have any suggestions that I could try to remedy this, I'd be very happy to try them.

    Cheers,
    Wilbert.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,833
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You could try reaching out the individual mail providers to see if they can let you know why it's detected as SPAM. For instance, Hotmail offers a page here that includes a link to contact their support team:

    Troubleshooting

    Thank you.
     
Loading...

Share This Page