DKIM signature is sometimes invalid

Luka Mrovlje

Registered
Jan 29, 2019
4
0
1
Viladecans, Catalunya
cPanel Access Level
Root Administrator
I am running currently stable cPanel v76+, with exim 4.91. DNS is hosted on Cloudflare and I can mostly successfully send a properly DKIM signed emails with a score 10/10 on mail-tester.com. But sometimes messages from the exact same email result in invalid DKIM signature according to Gmail and mail-tester.com and I cannot figure out why.

Manually comparing valid and invalid DKIM emai headers shows this. In the copy paste of headers I've hidden domain and is a correct one in headers received by Gmail or mail-tester.com.

Valid DKIM signature:
v=1;
a=rsa-sha256;
q=dns/txt;
c=relaxed/relaxed;
d=hidden.tld;
s=default;
h=List-Unsubscribe:Content-Type:MIME-Version:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=033XepfoqR3mPbERwV3ZBIINwWfhsAr6KS/n+cYEm/g=;
b=BvdRcfqrdKcX5/c10pr8IeLNvq7U1VL8w5qRaHfwsyFRS+bvfKI4tLa+tX+0kuMpChVK5I2k1vcfj2BZPu2JEnvPLF8SSShjmYeMvBY8wCQbTfNq5YMl9fFluxTt5bi2G2MhdeSRxsURQ/W6l+Rtbbp/unPOpoOfq+tCbUha4c0KdlpJO6ArhyffcuNiJlzy8iAZNDbo6x6gxG+olS4Gbh9x96HN8tlLJw3bhvg2l17pPXnLwQALN5z7R7fE0RVefjLOGw/11SYJBAxKyZfhbyNZXNE5vbb3dKv8JLU34dJSHsotq+2z5SvIuIJG3nXlGir60EU/7a9HGa40BMrRDQ==;

This key is obtained from dns query to validate the email as valid:

"v=DKIM1;
k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsBIqubAjZEgzpGB5qC9KZhhKpGbevYtQXI+0opmGaoiPYlRPGY4UEe157LJRWrv4RdO31jErFV7jmI6nkdk0dqFQM8gIoMFC8vmNNzp3vZrionAgsGMqS7EyuFxcWCqZPBLCigFb5CanPGgNou3qaqxsGHQnjem6HQTRzKa6Pu4M31uUJyrW5wJ7JTKxfNmzJ5a8r/rFH0IDfziJOzpihkO+97nSGcEIhtCFKsL2+TKDJGACN0c3YY4MOv3yazM/MlmTp/QVaA9xKBbOp5UueDKkTPB0nK/kldR4rx21vltX65yWaM2fbUwx7aPFCpM0pOQ7ah/g6N09mhalzY5UwIDAQAB;
"



Same message in only a short time difference validates as invalid DKIM signature:
v=1;
a=rsa-sha256;
q=dns/txt;
c=relaxed/relaxed;
d=hidden.tld;
s=default;
h=List-Unsubscribe:Content-Type:MIME-Version:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=Rds/2G37+Wp1V7pPNyNErWIEGvOJ9zA7A8qhkd4nCuE=;
b=E6x5aGoU0tlqnVw9W53yUQYOMDP9RDra9GhdVzyWBwM+1m5VNq12EdIzYaYexoTPryF26mNogfJ5cyYMTDZdoPbqNuhzGoVsHCdNncQhwbQHErf5d2/R0XbYbmWb+i9V6KI8qyo0Ps89pxuknJB1F9Ffpn63YhXo1errdZcgjvkC/umCUq57KSQTWD7CmCDwJ85HFBv9wXYpY1g+7H5Kk+H9zaJLxt7ofAfRRei7EpDEtwWyG8+YaxxVFWgDhjJ/o8IKwpuHybhHxxXhfNCUtz7i8Am2At/awVep4aN9g+nAgxNbIOFeCOQA5j+E3W3hS38/Ft8NwdU7JxIlYKTMXA==;

This key is obtained from dns query to validate the email as invalid:

"v=DKIM1;
k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsBIqubAjZEgzpGB5qC9KZhhKpGbevYtQXI+0opmGaoiPYlRPGY4UEe157LJRWrv4RdO31jErFV7jmI6nkdk0dqFQM8gIoMFC8vmNNzp3vZrionAgsGMqS7EyuFxcWCqZPBLCigFb5CanPGgNou3qaqxsGHQnjem6HQTRzKa6Pu4M31uUJyrW5wJ7JTKxfNmzJ5a8r/rFH0IDfziJOzpihkO+97nSGcEIhtCFKsL2+TKDJGACN0c3YY4MOv3yazM/MlmTp/QVaA9xKBbOp5UueDKkTPB0nK/kldR4rx21vltX65yWaM2fbUwx7aPFCpM0pOQ7ah/g6N09mhalzY5UwIDAQAB;
"


I have ruled out DNS server, as I have complete trust in Cloudflare, could it be exim's fault?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello @Luka Mrovlje


This doesn't actually sound possible from CloudFlare or cPanel, the DKIM signature sent is not changed, if the record is not modified and sometimes it is being accepted and sometimes not it sounds more like an issue on the recipient side especially if you've double checked the DKIM signature with mail tester and mxtoolbox