The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dkim error reported, generated the key twice.. still wrong.

Discussion in 'E-mail Discussions' started by tamalero, Dec 28, 2015.

  1. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello!

    I have been using cPanel for quite a bit, and this error of Dkim baffles me.
    Dkim used to work perfectly but then we switched servers and moved the cpanel account.

    Then out of nowhere, I got an "Email rejected, incorrect Dkim signature".
    I decided to check out and the cpanel account was using the old dkim keys.
    So I disabled dkim and then reenabled to create a new code. Then uploaded the new dkim signature code into my Domain controller (godaddy to peer1).
    Now I'm getting a dkim "temperror".

    Heres the Verifier response:

    Code:
    This message is an automatic response from Port25's authentication verifier
    service at verifier.port25.com.  The service allows email senders to perform
    a simple check of various sender authentication mechanisms.  It is provided
    free of charge, in the hope that it is useful to the email community.  While
    it is not officially supported, we welcome any feedback you may have at
    <verifier-feedback@port25.com>.
    
    Thank you for using the verifier,
    
    The Port25 Solutions, Inc. team
    
    ==========================================================
    Summary of Results
    ==========================================================
    SPF check:          pass
    DomainKeys check:   neutral
    DKIM check:         temperror
    Sender-ID check:    pass
    SpamAssassin check: ham
    
    ==========================================================
    Details:
    ==========================================================
    
    HELO hostname:  XXXXXXXXX.com
    Source IP:      216.152.128.171
    mail-from:      cesar@XXXXXXXXX.com
    
    ----------------------------------------------------------
    SPF check details:
    ----------------------------------------------------------
    Result:         pass
    ID(s) verified: smtp.mailfrom=cesar@XXXXXXXXX.com
    DNS record(s):
        XXXXXXXXX.com. SPF (no records)
        XXXXXXXXX.com. 86400 IN TXT "google-site-verification=ZoyTQz0UleOZszknJwlkQI8e-Dp0qGtbag9k5VS0jrg"
        XXXXXXXXX.com. 86400 IN TXT "v=spf1 +a +mx +ip4:XXXXXXXXX+ip4:XXXXXXXXX -all"
        XXXXXXXXX.com. 86400 IN A XXXXXXXXX
    
    ----------------------------------------------------------
    DomainKeys check details:
    ----------------------------------------------------------
    Result:         neutral (message not signed)
    ID(s) verified: header.From=cesar@XXXXXXXXX.com
    DNS record(s):
    
    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    Result:         temperror (error retrieving key record: IOException, status = StatusDnsQueryFailed)
    ID(s) verified:
    Canonicalized Headers:
        content-transfer-encoding:8bit'0D''0A'
        content-type:text/plain;'20'charset=utf-8;'20'format=flowed'0D''0A'
        mime-version:1.0'0D''0A'
        date:Mon,'20'28'20'Dec'20'2015'20'12:12:05'20'-0600'0D''0A'
        message-id:<56817B75.9020203@XXXXXXXXX.com>'0D''0A'
        subject:test'0D''0A'
        from:Cesar'20'<cesar@XXXXXXXXX.com>'0D''0A'
        to:check-auth2@verifier.port25.com'0D''0A'
        dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=XXXXXXXXX.com;'20's=default;'20'h=Content-Transfer-Encoding:Content-Type:'20'MIME-Version:Date:Message-ID:Subject:From:To;'20'bh=GFKB/oeqA+OLVJA1riRaud7TaBuXL8wGRC4OEmq3HBI=;'20'b=;
    
    Canonicalized Body:
        '0D''0A'
        --'0D''0A'
        C'C3''A9'sar'20'R.'0D''0A'
        IT'20'-'20'XXXXXXXXX'0D''0A'
      
    
    DNS record(s):
        default._domainkey.XXXXXXXXX.com. TXT (StatusDnsQueryFailed)
    
    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions.  If you are using Port25's PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.
    
    ----------------------------------------------------------
    Sender-ID check details:
    ----------------------------------------------------------
    Result:         pass
    ID(s) verified: header.From=cesar@XXXXXXXXX.com
    DNS record(s):
        XXXXXXXXX.com. SPF (no records)
        XXXXXXXXX.com. 86400 IN TXT "google-site-verification=ZoyTQz0UleOZszknJwlkQI8e-Dp0qGtbag9k5VS0jrg"
        XXXXXXXXX.com. 86400 IN TXT "v=spf1 +a +mx +ip4:XXXXXXXXX +ip4:XXXXXXXXX -all"
        XXXXXXXXX.com. 86400 IN A 216.152.128.171
    
    ----------------------------------------------------------
    SpamAssassin check details:
    ----------------------------------------------------------
    SpamAssassin v3.4.0 (2014-02-07)
    
    Result:         ham  (-1.7 points, 5.0 required)
    
    pts rule name              description
    ---- ---------------------- --------------------------------------------------
    -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
    -0.0 SPF_PASS               SPF: sender matches SPF record
    -0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
    -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                                [score: 0.0000]
    0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
    0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
    0.1 FROM_12LTRDOM          From a 12-letter domain
    
    ==========================================================
    Explanation of the possible results (from RFC 5451)
    ==========================================================
    
    SPF and Sender-ID Results
    =========================
    
    "none"
          No policy records were published at the sender's DNS domain.
    
    "neutral"
          The sender's ADMD has asserted that it cannot or does not
          want to assert whether or not the sending IP address is authorized
          to send mail using the sender's DNS domain.
    
    "pass"
          The client is authorized by the sender's ADMD to inject or
          relay mail on behalf of the sender's DNS domain.
    
    "policy"
         The client is authorized to inject or relay mail on behalf
          of the sender's DNS domain according to the authentication
          method's algorithm, but local policy dictates that the result is
          unacceptable.
    
    "fail"
          This client is explicitly not authorized to inject or
          relay mail using the sender's DNS domain.
    
    "softfail"
          The sender's ADMD believes the client was not authorized
          to inject or relay mail using the sender's DNS domain, but is
          unwilling to make a strong assertion to that effect.
    
    "temperror"
          The message could not be verified due to some error that
          is likely transient in nature, such as a temporary inability to
          retrieve a policy record from DNS.  A later attempt may produce a
          final result.
    
    "permerror"
          The message could not be verified due to some error that
          is unrecoverable, such as a required header field being absent or
          a syntax error in a retrieved DNS TXT record.  A later attempt is
          unlikely to produce a final result.
    
    
    DKIM and DomainKeys Results
    ===========================
    
    "none"
          The message was not signed.
    
    "pass"
          The message was signed, the signature or signatures were
          acceptable to the verifier, and the signature(s) passed
          verification tests.
    
    "fail"
          The message was signed and the signature or signatures were
          acceptable to the verifier, but they failed the verification
          test(s).
    
    "policy"
          The message was signed but the signature or signatures were
          not acceptable to the verifier.
    
    "neutral"
          The message was signed but the signature or signatures
          contained syntax errors or were not otherwise able to be
          processed.  This result SHOULD also be used for other
          failures not covered elsewhere in this list.
    
    "temperror"
          The message could not be verified due to some error that
          is likely transient in nature, such as a temporary inability
          to retrieve a public key.  A later attempt may produce a
          final result.
    
    "permerror"
          The message could not be verified due to some error that
          is unrecoverable, such as a required header field being
          absent. A later attempt is unlikely to produce a final result.
    
    
    ==========================================================
    Original Email
    ==========================================================
    
    Return-Path: <cesar@XXXXXXXXX.com>
    Received: from XXXXXXXXX.com (216.152.128.171) by verifier.port25.com id hg5tn220i3gf for <check-auth2@verifier.port25.com>; Mon, 28 Dec 2015 13:12:01 -0500 (envelope-from <cesar@XXXXXXXXX.com>)
    Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=cesar@XXXXXXXXX.com
    Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=cesar@XXXXXXXXX.com
    Authentication-Results: verifier.port25.com; dkim=temperror (error retrieving key record: IOException, status = StatusDnsQueryFailed)
    Authentication-Results: verifier.port25.com; sender-id=pass header.From=cesar@XXXXXXXXX.com
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=XXXXXXXXX.com; s=default; h=Content-Transfer-Encoding:Content-Type:
        MIME-Version:Date:Message-ID:Subject:From:To;
        bh=GFKB/oeqA+OLVJA1riRaud7TaBuXL8wGRC4OEmq3HBI=; b=v8I5DQgmM6eSstsdzESp7jft1T
        tVGtSNpdd3YROHIG/LnGll4EFn5U4DnaeEt2MvWSrk7eQSAiLINwgSam/ytksoDgF0aXpiyfdZR8b
        BUP5TJJqLCFvvGcojZUO6nAK59gOvdQEzbeXuLZQ3JwnaZv9IKbGRuXOzEw/kZQdK/j3KH4NtBrxr
        3KYzOLGOh8KdYKu/15wiSXSHgHVgpq/Jjafn/Pi6Fyjnk5O9QP85MI/5jd/zk+tc+PMujEJ89gzzw
        NqVj8Rmu3b2nV2+1t0C7dtRAplRWWcbjJqwB+WWZUD82YrcyyY3D1FPr2QllI/et3d7vokiIuHo9/
        UZNWuPKw==;
    Received: from 187-254-20-214-cable.cybercable.net.mx ([187.254.20.214]:10915 helo=[192.168.1.3])
        by main3.XXXXXXXXX.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
        (Exim 4.86)
        (envelope-from <cesar@XXXXXXXXX.com>)
        id 1aDcH1-0003J5-Ol
        for check-auth2@verifier.port25.com; Mon, 28 Dec 2015 12:11:59 -0600
    To: check-auth2@verifier.port25.com
    From: Cesar <cesar@XXXXXXXXX.com>
    Subject: test
    Message-ID: <56817B75.9020203@XXXXXXXXX.com>
    Date: Mon, 28 Dec 2015 12:12:05 -0600
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101
    Thunderbird/38.5.0
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8; format=flowed
    Content-Transfer-Encoding: 8bit
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - main3.XXXXXXXXX.com
    X-AntiAbuse: Original Domain - verifier.port25.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - XXXXXXXXX.com
    X-Get-Message-Sender-Via: main3.XXXXXXXXX.com: authenticated_id: cesar@XXXXXXXXX.com
    X-Authenticated-Sender: main3.XXXXXXXXX.com: cesar@XXXXXXXXX.com
    X-Source:
    X-Source-Args:
    X-Source-Dir: 
    Any suggestions? Is there a proper way to test if the server and the NS controller are actually synced and giving the proper information on both fronts?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    hi Michael,

    sadly, that address you gave me confused me even more than it helped me.

    I have a third party NS system (peer1.net located in ns1.peer1.net and ns2.peer1.net)
    But I'm confused about the "splitting the dkim code".

    I tried using the "dkim recipe with 3rd party external dns" thread.. and it made me get even more confused.

    First they talk about the "key", then they talk about the "selector", then they talk about the "public key".

    Can you shed some light on this?


    the RAW Dkim code as it appears in the local DNS resolver in WHM is:
    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Btz0SbbpOqslwlPyjeX8XVeURSeYlpuc3BU5J+cTPHxq8rehE1bJx5Nu3i2jFTHPUooqGJoolW3nzj/eW37Dr9Yn66QkZfXoKCrMXSfeVIKZpi2mzOOQwApD84PKwuHUWyLdA2Uq9O6e4thO9WqEb6Wdf8sDiUpE+/cUNc+F2kcmj3Tx6RuRJyJuBOQsjen7" pPSxLfXj1XGHIBOvKpCZDpPs7XTeOnqc76HXAwf+RYkfeQ4dCDc32TQVhgESxONq8G+bJ/jx8tuXKnfwMlxRdiZuYnL0JUyeZEnCVZUT4cuSA3CE1x+dClp6mqQhAsLCwoh23c/Byxnmn44jTb1QQIDAQAB\;
    in cpanel:

    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Btz0SbbpOqslwlPyjeX8XVeURSeYlpuc3BU5J+cTPHxq8rehE1bJx5Nu3i2jFTHPUooqGJoolW3nzj/eW37Dr9Yn66QkZfXoKCrMXSfeVIKZpi2mzOOQwApD84PKwuHUWyLdA2Uq9O6e4thO9WqEb6Wdf8sDiUpE+/cUNc+F2kcmj3Tx6RuRJyJuBOQsjen7" pPSxLfXj1XGHIBOvKpCZDpPs7XTeOnqc76HXAwf+RYkfeQ4dCDc32TQVhgESxONq8G+bJ/jx8tuXKnfwMlxRdiZuYnL0JUyeZEnCVZUT4cuSA3CE1x+dClp6mqQhAsLCwoh23c/Byxnmn44jTb1QQIDAQAB\; 
    What is the locator? what is the real "key" vs the "public key" ?

    Note that my third party dns might eat some keys (like consecutive " " keys) but does not multisplit like the error samples.

    *edit*

    using the tool on Check a DKIM Core Key
    the key will always fail, claiming there is a "parsing error on line 415"
    on the key that cpanel gives on the respective account (on default)

    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv+iBU2F/eHRvMVbFRzL1E74b/1VmjChWkpBEQu2ECVKjrdKESdY09bSFidDJwk4mAI6aCQuFusNTnXM/MChh/ZlKLbuga6PcVmRJrhTWfj429dFRIHdWXKc35Qt3N15zCn+Mj7ZTSWtYCl4IA2r7wkhCKjbkGhCo3YUMXRn5O+zyJ/dkJrFUx12GJWmT1Ls1s" xvth1PyZJHW0BWCPEaNdP9AaKD9poHlwBvHtjKN7/qxQAaDK0zP0ftB6aK1K+l6BmTOdPeF/3D7iQQZb2jZylONDoV/srQNRjUE7tjmZNbUtw6dByylmes6yJ8WeQG+JbxWIUmgcWuaW+QShs4C4QIDAQAB\; 
    and on the bottom it says "The p= field must be base64 encoded"

    this is after removing the " on the 1st word.
     
    #3 tamalero, Dec 29, 2015
    Last edited: Dec 29, 2015
  4. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Is there a way to know if the Key is 1024 bits or higher?
    Because cPanel now doesnt say anything about dkim. It just says that everything is correct and enabled.

    My DNS server manager told me that they do not support keys higher than 1024.

    Also, it seems that the server is not generating valid DKIM keys.
    I have regenerated them again and again and they are always invalid in the dkim checker.

    the same error of :
    Code:
        The p= field must be base64 encoded
    
    Note that I have tried removing the spaces, the " 's the dashes, everything.. and still errors.
     
    #4 tamalero, Jan 12, 2016
    Last edited: Jan 12, 2016
  5. johanan

    johanan Registered

    Joined:
    Jan 30, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Georgia
    cPanel Access Level:
    Root Administrator
    I am having the exact problem with my CPANEL DKIM, I'm trying to add the TXT record into my DNSMADEEASY control panel, it wont let me. I tried removing spaces, " , and no luck. Can anyone please help us out. I searched everywhere and no-one knows the answer. I was able to create a 1024 bit key and it worked, but CPANEL defaults to 2048 bit.
     
  6. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Seems many third party name servers do not support the 2048 keys.
    My provider also says that 1024 bit keys is the most they can handle right now. And they have "no idea" how to split the 2048 bit key correctly.. yet..
    Wishing they could let you change to 1024 keys in cpanel using a toggle or something.
     
  7. VNET a.s.

    VNET a.s. Registered

    Joined:
    Feb 3, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bratislava
    cPanel Access Level:
    Root Administrator
    Hi all, you can split it in several ways.

    this is what i get from cpanel:
    Code:
    default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ZAFu8bFt2PqrDQH4WhjwatQDYPSjSLMaIbqEK6RQGW61m0dZOIupyMym3VxPyGcP7yJhtW/flMRmkNWbLVpmI2M9fzkB951zbPAeuAdhUM8sRIUqQgz9FzCqtXVTgcnrdS4mfZub+KjOxwcErvTgQ80L9mOZsZs6Gvnt629Lb3ar4zsBu5ciToULF6HrWDpA" Uk/GH1TE5ERPEwj7sHMQeLunvsMJi9i4JDkZlGBzbq7YQpbiWl5sNJ5XJqVZYuro+flsTKqBzaK0ssyD4wvHiD4zRmztp3FDGq2upS/qjBxFMWdtPuPRRbUS/Kphiq083HIvcZkOIYejboZ5eUw2wIDAQAB\;
    
    and this how it loks when I paste it to dns zone:

    Code:
    default._domainkey.example.sk.   IN   TXT   "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ZAFu8bFt2PqrDQH4WhjwatQDYPSjSLMaIbqEK6RQGW61m0dZOIupyMym3VxPyGcP7yJhtW/flMRmkNWbLVpmI2M9fzkB951zbPAeuAdhUM8sRIUqQgz9FzCqtXVTgcnrdS4mfZub+KjOxwcErvTgQ80L9mOZsZs6Gvnt629Lb3ar4zsBu5ciToULF6HrWDpA" "Uk/GH1TE5ERPEwj7sHMQeLunvsMJi9i4JDkZlGBzbq7YQpbiWl5sNJ5XJqVZYuro+flsTKqBzaK0ssyD4wvHiD4zRmztp3FDGq2upS/qjBxFMWdtPuPRRbUS/Kphiq083HIvcZkOIYejboZ5eUw2wIDAQAB"
    
    --beware I have added double quotes and removed last semicolon.

    Beware, if you use Webmin to edit your entries, be sure to edit the zone file and not the Text records, because it will show you only the first part of DKIM key.

    If you do it correctly, this tool at Tools - mail-tester.com shows you correct key length e.g.2048bits.
     
    #7 VNET a.s., Feb 3, 2016
    Last edited by a moderator: Feb 3, 2016
  8. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    so.. the semicolon needs to be removed?
     
  9. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Still having problems.. Peer1, which is handled by COHEN pretty much gave no time nor any interest in changing their DNS infrastructure to support 2048 keys.. my emails are being bounced because of the invalid 2048 malformed key.

    Is there a way to switch to 1024bit keys?

    everywhere I try to search, it brings me back to older threads of 2014 of "updating" to 1024 and 2048. And not the opposite.
     
  10. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  12. tamalero

    tamalero Member

    Joined:
    Mar 4, 2013
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Already did, they told me to talk with my ISP provider.. who in turn gave me the finger.
    In short.. my hosting provider does not support the 2048 default sized keys. They refuse to give an ETA or even if they are going to upgrade some day to 2048 or higher. (they only accept 1028 keys).

    Just to say, I'm very disappointed of what has peer1 transformed after being bought by COGECO/COGENT.
     
Loading...

Share This Page