DKIM For parked domains

[Leigh.Jackson]

I am hosting sites through Cpanel at example.com. The URLs are all hidden behind URLs hosted by another provider with parked domains and Cname and A record redirects, from example2.com.

When I send emails from within the website I send as if I am [email protected], but the header is showing as from [email protected].

I need to create a DKIM TXT record to provide to the other host to add to their DNS to say I am authorised to send from @example.com.

How can I do this, I can only seem to generate for each of the parked domains, but I want to generate at the root (i.e not at site1.example2.com parked domain, but at example2.com).

Is this even possible in Cpanel or WHM?

 

[cPanelLauren]

Hi @Leigh.Jackson


Is example.com hosted on the cPanel server? If so you should be able to go to cPanel>>Email>>Email Deliverability -> Manage (next to the domain) and generate the DKIM from that interface

 

[Leigh.Jackson]

example.com is on the CPanel server, but example2.com is not.

I have had my provider generate the DKIM which they have done and I have uploaded to the DNS server, but we now cant find where to change email deliverability to use a different DKIM selector than the default (which is bad DKIM practice anyway)

 

[cPanelLauren]

example.com is on the CPanel server, but example2.com is not.

I have had my provider generate the DKIM which they have done and I have uploaded to the DNS server, but we now cant find where to change email deliverability to use a different DKIM selector than the default (which is bad DKIM practice anyway)

The autogenerated DKIM signature within cPanel will only generate a dkim with the default selector. If your cPanel server is not the authoritative nameserver (i.e., DNS is not hosted there) you wouldn't be able to use the auto generator present in Email Deliverability. You can manually add the DKIM with whichever selector you've chosen at /var/cpanel/domain_keys/

 

[Leigh.Jackson]

We have manually added the DKIM and selector, but it is still send emails with the default selector. In the email header the from domain is successfully showing as example2.com. But the DKIM is not showing correctly, s is still default as below (partially removed for security reasons). How do we make cpanel use the correct selector? We can not change to default as this is not DMARC compliant and the DNS server is used for multiple sending servers so each must be unique.

v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=example.com; s=default; h=Date:Message-Id:From:Subject:To:Sender:
Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;

 

[cPanelLauren]

To clarify, you've added it in /var/cpanel/domain_keys and updated the DNS for the domain with the correct DKIM key?

 

[Leigh.Jackson]

The web host has added the DKIM to /var/cpanel/domain_keys/private/example2.com on example.com. The DKIM has been loaded to the DMS for example2.com.

 

[cPanelLauren]

Hello,


I'm curious why you believe that default is not dmarc compliant? The only specification for DKIM with DMARC I'm aware of is the following in the adkim= section:

“adkim=” This sets the DKIM alignment. It can either be set to “s” for strict or “r” for relaxed. Strict means the DKIM portion of DMARC authentication will only pass if the d= field in the DKIM signature EXACTLY matches the from domain. If it is set to relaxed, messages will pass the DKIM portion of the DMARC authentication if the DKIM d= field matches the root domain of the from address.

When you run the following which DKIM signature do you get back? The custom selector or the default?

dig txt default._domainkey.domain.tld
dig txt yourselector._domainkey.domain.tld

 

[Leigh.Jackson]

For the first command
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> txt default._domainkey.example.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20589
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;default._domainkey.example.tld. IN TXT

;; AUTHORITY SECTION:
. 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019103100 1800 900 604800 86400

;; Query time: 139 msec
;; SERVER: XX.XXX.XXX.XXX#53(XX.XXX.XXX.XXX)
;; WHEN: Thu Oct 31 12:41:57 GMT 2019
;; MSG SIZE rcvd: 140

For the second command
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> txt myseletor._domainkey.example2.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40741
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;myselector._domainkey.cbre.tld. IN TXT

;; AUTHORITY SECTION:
. 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019103100 1800 900 604800 86400

;; Query time: 46 msec
;; SERVER: XX.XXX.XXX.XXX#53(XX.XXX.XXX.XXX)
;; WHEN: Thu Oct 31 12:43:32 GMT 2019
;; MSG SIZE rcvd: 135

 

[cPanelLauren]

The response on both of those show no dkim for either selector.