DKIM Not Working on Addon Doman

cPanel & WHM Version
96.0.11

BLOB

Member
Aug 8, 2021
5
0
1
Nowhere
cPanel Access Level
Website Owner
Hello,

I have a shared hosting account that uses cPanel version 96.0.11.
My main domain there is called mainexample.zzz
I also have an addon domain I'll call addonexample.zzz

When I added the addon domain a subdomain was created as well - addonexample.mainexample.zzz.

The addon domain is hosted on a separate VPS, uses CloudFlare (CF for short) for DNS hosting and I want to use the shared cPanel hosting for email only.
So I've added addonexample.mainexample.zzz as the MX record in CF and also a TXT record named default._domainkey that contains the DKIM record from cPanel's Zone Editor.

The problem I'm, facing is when I send a message to ping [at] tools.mxtoolbox.com I get the following problems in the sections "DKIM Alignment" and "DKIM Authenticated" in the received report:

Code:
Dkim Signature Error:
No DKIM-Signature header found

Dkim Signature Error:
There must be at least one aligned DKIM-Signature for the message to be considered aligned.

When I do the same from the main domain everything is fine.
I've tried changing the DKIM contents with the ones for addonexample.mainexample.zzz and mainexample.zzz but the result was the same.

I've also tried adding an A record for a subdomain mail with the shared hosting's IP (I saw that record as CNAME in the Zone Editor) and then setting it as the MX record but got the same result.


So far my only suspicions are that it refuses to work because the DKIM selector is wrong or I'm using CF instead of cPanel's DNS but I can't move to cPanel because I need CF for multiple reasons.

Please let me know if I can provide any more information.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,440
1,004
313
cPanel Access Level
Root Administrator
Hey there! It sounds like you've done everything correctly, as copying the DKIM record to Cloudflare is what I would recommend in this situation.

Since the DNS isn't controlled by cPanel I don't have much advice on my end. It might be worth double-checking the record at Cloudflare to see if it matches the format of the cPanel record exactly. Here is what that looks like in plain text on my personal cPanel system:

Code:
default._domainkey      14400   IN      TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8xWT/7EhSq2NStifQU4lBMvs4nDMN6G3ieAGqabfPyci6l8Sz0h6EtytqQYkn1wDG6kApWZVz8GeItYSw8SGN9LHnbCBGNLlY6DeagYgrvpbWhfnFhASaECEJEGjGUKIdu+TEysPyjlycNh+MRKkPD73luJ9RGBdyUXJtiYoDA5GRJKFkRKVMMIzZtsrI2CMS" oYDipI67NnCh/LZcYIFdROippMQnqJlq3kBsTtzdKXeWuZb4s+kJDlz1y7HAxFjp5VRj6S7EcFjXcCfyE6iHea+5XIhgt+K5B9DIbfGpSY8F2zWjES7D6BjpImaV3lloqXMP9KXWTc6BekHeJbW3wIDAQAB\;
 

BLOB

Member
Aug 8, 2021
5
0
1
Nowhere
cPanel Access Level
Website Owner
Thanks for the reply but unfortunately that's not the problem.

The record's content in Cloudflare isn't split in parts, but it needs to be one piece instead.
I've already checked the live DKIM record with a few different online tools and all of them said it was fine syntax-wise.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,440
1,004
313
cPanel Access Level
Root Administrator
If the formatting is correct, it might be best to reach out to Cloudflare directly to see if there is anything they can help with on their side. For whatever reason, the DNS record there is not being properly read, but that isn't something you would be able to fix with cPanel tools.
 

BLOB

Member
Aug 8, 2021
5
0
1
Nowhere
cPanel Access Level
Website Owner
I'll probably ask them as well, but I doubt it's CloudFlare's fault because all the test tools I've tried so far say that the default selector is fine for the live record.

Is it possible that another DKIM selector is needed instead of default? Something related to addonexample.mainexample.zzz or mail.addonexample.zzz?


And on a maybe related note - right now my hosting provides me with a dedicated IP address but the mail still goes through their main domain for the whole server (let's call it sharedserver1.zzz) instead of my own main domain - is there any way for this to be avoided?
The reason I'm asking is because their domain has already been blacklisted and it kinda defeats the purpose of the dedicated IP.


//EDIT:
Seems I'm not the only one with that problem, but unfortunately there's no solution there either - cPanel Not Signing DKIM for Sites with External Name Servers

I've also tested with dkimvalidator.com and mail-tester.com and the results were the same - "This message does not contain a DKIM Signature"


//EDIT2:
The problem seems to have been solved - I went to the "Email Deliverability" page in cPanel and got the following message:
"Information: The system detected 1 domain whose DKIM signatures were inactive despite valid DKIM configuration. The system has automatically enabled DKIM signatures for the following domain: “ addonexample.zzz ”"
I saw in another topic that it might be related to CloudFlare's IPv6 but can't test it unless it breaks again.
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,440
1,004
313
cPanel Access Level
Root Administrator
You can change the IP used to send mail on your server with the steps here:


That page gives you the option to change the IP entirely for all accounts, or to send from individual dedicated IPs.
 

BLOB

Member
Aug 8, 2021
5
0
1
Nowhere
cPanel Access Level
Website Owner
In other words I need to talk to my hosting provider and send them the link above, since I don't have root access to the server.
Thanks!
 

mikeserv

Member
Aug 15, 2021
6
1
3
Ontario, Canada
cPanel Access Level
Root Administrator
Just a note to say that if you enable DKIM in Cpanel before your TXT records propagate (your locally configured resolver doesn't have the updated records yet) on the remote authoritative DNS, Cpanel won't enable it, but it does store your settings. When you went in to Mail Deliverability again it checked the situation again and enabled it.

I went through the same thing and I was all "WTF" because I didn't realize it wouldn't start working on its own until that happened. When not using WHM/Cpanel's DNS server (authoritatively) It's kind of chicken-before-egg because you don't know the public key to create your TXT record until you generate it. If we'd have let the form sit there for an hour or so before hitting the button to finalize the installation of the key it probably would have worked, I'm guessing.

Also, at first I didn't understand that I couldn't just generate my DKIM keys elsewhere and manually add the private key through CPanel. (That's how I thought it was going to work at first but the fields aren't editable)

Hope this helps some other confused souls finding out that things don't work how they thought they would :)
 
  • Like
Reactions: cPRex