The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DKIM problems with 3rd party / external DNS

Discussion in 'E-mail Discussions' started by vissa, Mar 31, 2012.

  1. vissa

    vissa Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I'm having problems with DKIM using WHM 11.32.2 (build 8). I got SPF to work properly (verified with hotmail/etc), but DKIM is another issue entirely. I'm running my own server, but Domain Name Service (DNS) is provided by the registrar.

    It appears that WHM/CPANEL expects the server to also be the nameserver. I use Enom/Bulkregister or Godaddy for most domains -- and all of them support SPF and DKIM entries.

    The message I get from Cpanel is
    When I look at mail headers Hotmail receives, it is showing an Error/fault for DKIM. This is actually to be expected because there are no DNS entries back at Godaddy.. Cpanel doesn't show us what they should be (the ssh key, etc).

    It seems DKIM is setup with the assumption that cpanel also provides the DNS.. How do I set it up for, lets say enom providing the DNS? I know how to edit the TXT entries in the DNS records, but Cpanel doesn't provide any of the keys to the user (which it should).. It does provide them for SPF. Is this an oversight? Is there a workaround?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Since DKIM requires public and private keys, how precisely would you store those keys at an off server nameserver that you do not have backend access? If cPanel DNS only were being used, you could certainly store the public and private keys, but the scenario you are indicating would not allow storing public and private keys at that nameserver location.

    Of note, the message you are receiving would definitely be correct about not using the machine as an authoritative registrar. We wouldn't support the setup you've indicated for that reason, because we do not control the machine and cannot generate keys you won't be using on the cPanel machine or a cPanel DNS only machine for the domain. You'll need to take the question up with GoDaddy or Enom on how to handle this type of scenario. Alternatively and more preferably, you could switch to having private nameservers that run from your machine or a cPanel DNS only machine to handle the zones.
     
  3. endelwar

    endelwar Member

    Joined:
    May 2, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    You need to add a TXT record in your remote dns server.
    If you look in /var/named you'll find the zone configuration files, open your file (somewhebsite.com.db) after enabling DKIM and look at TXT record called "default._domainkey": add that TXT record to your DNS server.
    The same procedure can be used to enable SPF on remote dns.
     
  4. vissa

    vissa Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Ok well now I'm a little confused. I admit I know very little about how DKIM actually works, but I have successfully set up SPF.

    So cPanelTristan, you are saying I have no choice but to use my server as the DNS if I want to use DKIM? I have been using 3rd party DNS for years as they are usually faster than any single location nameserver (and won't go down when I need to do server updates, etc). Lots of people use 3rd party DNS (for different reasons, including redundancy,

    What endelwar is saying seems to be the opposite information. I had believed what you said was correct, but cpanel was not providing the keys needed for the TXT record.

    Any help is appreciated. Thank you.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    DKIM has public and private keys rather than simply the TXT records. SPF is not the same as DKIM in how it works. SPF only has TXT records without keys being used. The keys should be stored on the server handling the DNS to function properly. You shouldn't be able to setup DKIM on a machine that isn't actually going to handle the DNS. It would be tainting the entire purpose of DKIM.
     
  6. John W

    John W Member

    Joined:
    Aug 24, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Orlando
    Read Tristan's fist sentence again and the key is having backend access to your DNS. My DNS is at Softlayer only and I added the txt records for DKIM which I'm guessing you just did with SPF. I did exactly as endelwar stated and just cut and pasted in. If found some helpful info at http://www.unlocktheinbox.com/ which was suggested by someone else here. They have an email address mailtest@unlocktheinbox.com that will give you a nice bounceback with results.

    One thing is to read the cpanel info on DKIM and carefully read the DKIM and domainkey info on unlocktheinbox. Realize they are not the same and you'll pass DKIM but not domainkey which 11.32 no longer supports from my understanding. Wikipedia has some good info too.

    Seems like a lot of work to send email.
     
  7. vissa

    vissa Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Straight from WikiPedia

    cPanelTristan,

    With all due respect, since the 'permanent' public key is what's part of the DNS records, I do not understand your stance that the DNS server must be on the same physical mail server (my server). It makes no sense. It appears all I have to do (as others above have stated) is add the public key as part of the DNS record (on a 3rd party DSN server, if they allow that -- which many do). The DNS public key, of course, has to be generated by Cpanel on my server and then I have to use that data to make the change of DNS records. Cpanel still has to send emails with DKIM data (private key in each email), of course. What is wrong with this logic? All cpanel has to do is tell us what the records for the DNS should be when we turn DKIM on.
     
    #7 vissa, Apr 6, 2012
    Last edited: Apr 6, 2012
  8. vissa

    vissa Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Well I did just as endelwar said and added the domainkeys record from /var/named/website to my 3rd party (external) DNS records... Now Cpanel says "Status: Enabled & Active (DNS Check Passed)". Just waiting for the DNS record to propogate so I can test if mail servers say I've passed their DKIM test.. Fingers crossed!
     
  9. vissa

    vissa Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I just tested it with hotmail and other email testers (viewing headers to see if DKIM check passed)... Guess what, it passed! That means you *CAN* have 3rd party DNS server (like bulkregister, enom, etc) and still use DKIM. Worked FINE.. Just do as endelwar said above. Unfortunately since CPANEL doesn't give you the DNS entry, you have to dig through the config files.. Maybe cpanel will easily provide them in the future.
     
  10. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    Sorry, but that's completely false.

    cPanel is the only panel -- the ONLY piece of software, in fact -- that tries to force users to use on-server DNS when using DKIM or DomainKeys. The truth is that the signing of mail happens on the server, but the retrieval of keys is via DNS. And on any DNS location.

    Why cPanel chooses to make using DKIM hard on customers is a nuisance. I sometimes get the impression that cPanel doesn't understand what DKIM really is. Plesk is superior, when it comes to the way the DomainKey feature works.

    I'm still aggravated that the recent DomainKeys was dropped for DKIM, when using both would have been more appropriate. Both are still used.
     
  11. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Sorry for the confusion here. I've opened (and completed the code for) case 58733 to display the raw DKIM record in the UI. Its been sent off to code review.
     
  12. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Update: Case 58733 is resolved in version 11.32.3.15 and later
     
  13. xyloweb

    xyloweb Registered

    Joined:
    Sep 16, 2012
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have found that most of the time (for me), the DKIM key is not shown in Email Authentication.
    Out of about 10 domains, all except one says " Enabled & Active (DNS Check Passed)". Only one shows the TXT record like this:

    Warning: cPanel is unable to verify that this server is an authoritative nameserver for mywebsite.org. [?]
    Your current raw DKIM record is:
    default._domainkey IN TXT "v=DKIM1; k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPinz2nrlYY8aNZUdMAD4g7u83P0XsA+Ff3AG2cLMuYx2ddflNc9V5LLLOeq1nvf51/v3GE82aNbOc0xUJpmeOV6KWOtbMx0v0vDnYk5dMBIgObs9VhFGRh0FO+gPo4ddQIDAQAB;"

    I have posted a recipe for getting DKIM set up in another thread:
    http://forums.cpanel.net/f43/dkim-recipe-3rd-party-external-dns-295051.html
     
    #13 xyloweb, Sep 16, 2012
    Last edited: Sep 16, 2012
  14. oosterhuisD

    oosterhuisD Registered

    Joined:
    Aug 20, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Correct, this approach works just fine. You can actually retrieve the DNS entry without going through the config files. It's found in Mail->Email Authentication. Before you have the DKIM properly setup, it will show the current DKIM record that your CPanel server wants to advertise (but it is not the DNS server for your domain). Copy that to a TXT entry in A (on the authoritive DNS server) and it will work.
     
Loading...

Share This Page