Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

DKIM key split over several records not working

Discussion in 'E-mail Discussion' started by rpkemp, Oct 22, 2015.

  1. rpkemp

    rpkemp Registered

    Joined:
    Apr 12, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi. I am using Cpanel version 11.52.0.18. I want to set up DKIM for one of my domains. I'm using the Cpanel-generated key, which I have adapted (removing extraneous " and space from the middle and \; from the end) so that it is apparently acceptable (I checked it here: Check a DKIM Core Key).

    I'm using my hosting service provider's DNS servers, so I need to enter the DKIM key in their DNS management page. This won't accept the longer 2048-bit keys within a single record, so I was advised to split the key over a number of records - as I understand it these should then be concatenated into a single valid key.

    This is a screenshot of the settings in the hosting service control panel:

    - Removed -

    Unfortunately, the result doesn't seem to add up to a valid key. The response from check-auth@verifier.port25.com reads like this (I don't pretend to understand it):

    Code:
    Result:         permerror (invalid key: error reading public key: 139746777425664:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142:;139746777425664:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306:;139746777425664:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_PUBKEY;)

    And this is how the receiving server (for check-auth@verifier.port25.com) sees the key (I have changed the characters & the length of the lines):


    If anyone has any idea about what I might be doing wrong I'd be grateful.
     
    #1 rpkemp, Oct 22, 2015
    Last edited by a moderator: Nov 27, 2015
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,654
    Likes Received:
    2,087
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Could you report this issue to your DNS provider? The output you provided suggests the record was not properly added to the zone.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Nov 11, 2015
  3. rpkemp

    rpkemp Registered

    Joined:
    Apr 12, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your response, I'll do that & post back if anything emerges.
     
    #3 rpkemp, Nov 12, 2015
  4. movielad

    movielad Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    109
    Likes Received:
    2
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am that provider. ;)

    The biggest problem is that with every single DKIM record generated by cPanel, there appears to be an extraneous quote mark which causes a big problem for us and our customers. It'd help if we could set the size of the DKIM record so that it'll still fit within our infrastructure, but in the meantime, would you be able to provide a working example of how to split a DKIM record generated by cPanel? It seems to work for me (in that when I return to the cPanel Email Authentication section, it passes the check) but seemingly fails during external DKIM tests.

    We use TinyDNS as our nameserver of choice.

    Many thanks,

    Martyn
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 movielad, Nov 12, 2015
    orlando33 likes this.
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,654
    Likes Received:
    2,087
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you verify if you still encounter the issue on cPanel version 11.52.1.0 (available on the "Current" build tier)? It includes the following resolution:

    Fixed case CPANEL-526: Updated zone parsing to support mutli-line TXT records.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelMichael, Nov 12, 2015
  6. movielad

    movielad Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    109
    Likes Received:
    2
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Twitter:
    Trying to split the DKIM record gave by 11.52.1.0 looks like this when queried from DNS:

    Code:
    ; QUESTION SECTION:

;default._domainkey.lizziec.net.INTXT


;; ANSWER SECTION:

default._domainkey.lizziec.net.1800 INTXT"v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ss6mlpr9rAXCEVT1lMIFlY2W0KjbDAJ1HU4nZKYIIujj2lTNiQYd"

default._domainkey.lizziec.net.1800 INTXT"XYW+JZ5iYscfkgh1H/gjmgdlXet3ZT2+P3dNEnel2uwJEAKeu8hfzOOQFvWH3iGWu2GkVyFC7ReYHJYDqT08Sunk3hUmhHl5l2ntsFYAqviivTgAQEJSiIms8/vblJ22l3SeRI/BKXke"

default._domainkey.lizziec.net.1800 INTXT"AX8slrgR16/Cu1uAnEUq4kD2iahrQCdRcRP6XwlbEl4BAjlxn7E11WSBZHwCx8z0pt4FuOujZJMMpc/6SudPTdJ3TK0kZCXx6qkikfa/bF+ybzC72WCb4TVQIPABg3nfroDugZI7iDgEBS"

default._domainkey.lizziec.net.1800 INTXT"GubnGUwIDAQAB\\\;"
    And when querying DKIM testers, it usually reports that it's of the wrong length, e.g.:

    Code:
    DNS record for default._domainkey.lizziec.net:

"v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ss6mlpr9rAXCEVT1lMIFlY2W0KjbDAJ1HU4nZKYIIujj2lTNiQYd"

We were not able to retrieve the key length, there is maybe an issue in that key
    But according to the authentication section of cPanel, DKIM is active and passes the check.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 movielad, Nov 12, 2015
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,654
    Likes Received:
    2,087
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 cPanelMichael, Nov 12, 2015
  8. movielad

    movielad Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    109
    Likes Received:
    2
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Twitter:
    Submitting ticket now. I'm just going to post some screenshots here for reference.

    First image - this is what's presented to the user:

    2015-11-13_10-45-30.png

    We then split that over four TXT records. On the second line, we stop (and do NOT include) at the quote mark. We continue on the third line of the DKIM record. So it looks like this within our DNS manager:

    2015-11-13_10-50-12.png

    Once the DNS has reloaded, a refresh of the authentication page looks like this:

    2015-11-13_10-43-00.png

    and performing a dig on the record:

    2015-11-13_10-52-52.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 movielad, Nov 13, 2015
    Last edited by a moderator: Dec 18, 2015
    Infopro likes this.
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,654
    Likes Received:
    2,087
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    To update, per the information in the support ticket, we actually split the DKIM record into 255-byte chunks by design. RFC 1035 specifies that character strings must be split up into chunks of 255 or fewer octets. The DKIM record in the zone on the cPanel server looks correct, but the records are wrapped in quotations when querying the nameservers from the entry added in TinyDNS. The advice was to consult with TinyDNS to see if there is a recommended way to address that.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 cPanelMichael, Nov 16, 2015
  10. movielad

    movielad Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    109
    Likes Received:
    2
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just a follow-up: Memset has now fixed our DNS manager so that you can copy and paste the record into our DNS manager and it'll be parsed properly. I've checked against an external DKIM checker and it all works. No more splitting records, etc. Takes a single line.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 movielad, Dec 18, 2015
  11. rpkemp

    rpkemp Registered

    Joined:
    Apr 12, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Excellent, many thanks, I'll give it a try.
     
    #11 rpkemp, Dec 18, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - DKIM split several
  1. sheldon199

    New Thread DKIM not signing messages properly

    sheldon199, Apr 18, 2019 at 12:09 PM, in forum: E-mail Discussion
    Replies:
    0
    Views:
    8
    sheldon199
    Apr 18, 2019 at 12:09 PM
  2. lukekenny

    DKIM fail sending to Office 365 and Outlook.com

    lukekenny, Apr 12, 2019 at 8:01 AM, in forum: E-mail Discussion
    Replies:
    2
    Views:
    356
    lukekenny
    Apr 16, 2019 at 12:08 PM
  3. Volox

    DKIM Signature Body Hash not verifying

    Volox, Mar 17, 2019, in forum: E-mail Discussion
    Replies:
    4
    Views:
    428
    cPanelMichael
    Mar 20, 2019
  4. chris0147

    SOLVED Exim not adding DKIM on outgoing mail

    chris0147, Mar 2, 2019, in forum: E-mail Discussion
    Replies:
    7
    Views:
    1,353
    Martin Hinrichsen
    Apr 10, 2019
  5. Lakeswimmer

    SOLVED DKIM for hostname

    Lakeswimmer, Feb 16, 2019, in forum: E-mail Discussion
    Replies:
    3
    Views:
    202
    cPanelMichael
    Feb 20, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice