Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

DKIM signature is sometimes invalid

Discussion in 'E-mail Discussion' started by Luka Mrovlje, Jan 29, 2019.

  1. Luka Mrovlje

    Luka Mrovlje Registered

    Joined:
    Jan 29, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Viladecans, Catalunya
    cPanel Access Level:
    Root Administrator
    I am running currently stable cPanel v76+, with exim 4.91. DNS is hosted on Cloudflare and I can mostly successfully send a properly DKIM signed emails with a score 10/10 on mail-tester.com. But sometimes messages from the exact same email result in invalid DKIM signature according to Gmail and mail-tester.com and I cannot figure out why.

    Manually comparing valid and invalid DKIM emai headers shows this. In the copy paste of headers I've hidden domain and is a correct one in headers received by Gmail or mail-tester.com.

    Valid DKIM signature:
    v=1;
    a=rsa-sha256;
    q=dns/txt;
    c=relaxed/relaxed;
    d=hidden.tld;
    s=default;
    h=List-Unsubscribe:Content-Type:MIME-Version:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=033XepfoqR3mPbERwV3ZBIINwWfhsAr6KS/n+cYEm/g=;
    b=BvdRcfqrdKcX5/c10pr8IeLNvq7U1VL8w5qRaHfwsyFRS+bvfKI4tLa+tX+0kuMpChVK5I2k1vcfj2BZPu2JEnvPLF8SSShjmYeMvBY8wCQbTfNq5YMl9fFluxTt5bi2G2MhdeSRxsURQ/W6l+Rtbbp/unPOpoOfq+tCbUha4c0KdlpJO6ArhyffcuNiJlzy8iAZNDbo6x6gxG+olS4Gbh9x96HN8tlLJw3bhvg2l17pPXnLwQALN5z7R7fE0RVefjLOGw/11SYJBAxKyZfhbyNZXNE5vbb3dKv8JLU34dJSHsotq+2z5SvIuIJG3nXlGir60EU/7a9HGa40BMrRDQ==;

    This key is obtained from dns query to validate the email as valid:

    "v=DKIM1;
    k=rsa;
    p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsBIqubAjZEgzpGB5qC9KZhhKpGbevYtQXI+0opmGaoiPYlRPGY4UEe157LJRWrv4RdO31jErFV7jmI6nkdk0dqFQM8gIoMFC8vmNNzp3vZrionAgsGMqS7EyuFxcWCqZPBLCigFb5CanPGgNou3qaqxsGHQnjem6HQTRzKa6Pu4M31uUJyrW5wJ7JTKxfNmzJ5a8r/rFH0IDfziJOzpihkO+97nSGcEIhtCFKsL2+TKDJGACN0c3YY4MOv3yazM/MlmTp/QVaA9xKBbOp5UueDKkTPB0nK/kldR4rx21vltX65yWaM2fbUwx7aPFCpM0pOQ7ah/g6N09mhalzY5UwIDAQAB;
    "



    Same message in only a short time difference validates as invalid DKIM signature:
    v=1;
    a=rsa-sha256;
    q=dns/txt;
    c=relaxed/relaxed;
    d=hidden.tld;
    s=default;
    h=List-Unsubscribe:Content-Type:MIME-Version:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=Rds/2G37+Wp1V7pPNyNErWIEGvOJ9zA7A8qhkd4nCuE=;
    b=E6x5aGoU0tlqnVw9W53yUQYOMDP9RDra9GhdVzyWBwM+1m5VNq12EdIzYaYexoTPryF26mNogfJ5cyYMTDZdoPbqNuhzGoVsHCdNncQhwbQHErf5d2/R0XbYbmWb+i9V6KI8qyo0Ps89pxuknJB1F9Ffpn63YhXo1errdZcgjvkC/umCUq57KSQTWD7CmCDwJ85HFBv9wXYpY1g+7H5Kk+H9zaJLxt7ofAfRRei7EpDEtwWyG8+YaxxVFWgDhjJ/o8IKwpuHybhHxxXhfNCUtz7i8Am2At/awVep4aN9g+nAgxNbIOFeCOQA5j+E3W3hS38/Ft8NwdU7JxIlYKTMXA==;

    This key is obtained from dns query to validate the email as invalid:

    "v=DKIM1;
    k=rsa;
    p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsBIqubAjZEgzpGB5qC9KZhhKpGbevYtQXI+0opmGaoiPYlRPGY4UEe157LJRWrv4RdO31jErFV7jmI6nkdk0dqFQM8gIoMFC8vmNNzp3vZrionAgsGMqS7EyuFxcWCqZPBLCigFb5CanPGgNou3qaqxsGHQnjem6HQTRzKa6Pu4M31uUJyrW5wJ7JTKxfNmzJ5a8r/rFH0IDfziJOzpihkO+97nSGcEIhtCFKsL2+TKDJGACN0c3YY4MOv3yazM/MlmTp/QVaA9xKBbOp5UueDKkTPB0nK/kldR4rx21vltX65yWaM2fbUwx7aPFCpM0pOQ7ah/g6N09mhalzY5UwIDAQAB;
    "


    I have ruled out DNS server, as I have complete trust in Cloudflare, could it be exim's fault?
     
  2. Luka Mrovlje

    Luka Mrovlje Registered

    Joined:
    Jan 29, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Viladecans, Catalunya
    cPanel Access Level:
    Root Administrator
    cPanel and Cloudflare have just one DKIM signature in their domain zone with key default._domainkey
     
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,254
    Likes Received:
    479
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Luka Mrovlje


    This doesn't actually sound possible from CloudFlare or cPanel, the DKIM signature sent is not changed, if the record is not modified and sometimes it is being accepted and sometimes not it sounds more like an issue on the recipient side especially if you've double checked the DKIM signature with mail tester and mxtoolbox
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice