DKIM signed domain hosted by another provider?

[CoyoteKG]

Hello,

we just migrated emails via imapsync from Inmotion Hosting to HostGator.
But for now we will leave domain at Inmotion. Both servers are with cPanel installed.
New server is with cPanel 68

I set A and MX record to point to new server

Under Mail Authentication DKIM and SPF are enabled.

I found this guide
Using DKIM & With Third Party DNS « HostGator.com Support Portal

And did everything. Sent mail to my gmail account, found header, edited txt record on domain which is still on Inmotion.
But when I test with mail-tester or [email protected] I'm getting that DKIM is not valid, and DKIM check: permerror
Also mxtoolbox report more syntax errors. One of them is that "v" tag can't be 1, but DKIM1

So, by this previous guide i set record. And there is no "p" tag.
It is something like this (from mail-tester)

   v=1;
   a=rsa-sha256;
   q=dns/txt;
   c=relaxed/relaxed;
   d=somesite.com;
   s=default;
   h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
   bh=jtEBTnlh/aEAkbWi4QPa6XB9Q8ixWH+EtBXeEcEWpa8=;
   b=u+psPQLtiTTL0euU6skeb9+b0/NwF0YfOuq/Jde21+HV6Fk7tCK8lZcu4RKhYt9y2x6r0IvXFilEsDlMCGoOLaKC0FJIu/J0fX6x4Nt+IRS4veQBnfEjKkNy1JJ2OYp0OIFXTT08BPNt+0G/aCWVhiu3vK2/GHqUsBdjPeuVaVFCDU7iL0sYeRltPYLge13wkyl0EuaK0lpmXJu2zeKxFuM9NkzIoaw9XymXVoa/OdSxbcjVUcTnkO2NsM+PFbtMCW2jZOmWQ8aEBHRO/sou75rnsVljO5kYPlm9qYSEYRVyQJfc94t6WG+wFi/9jLxFu16m2TNL9h/0NLKrbjdmmQ==;

And "b" and "bh" tags are always different with very new sent mail.

Also, I also via ssh I found dkim public key for domain in
/var/cpanel/domain_keys/public
I cat file, and took public key, and edited TXT record to

v=DKIM1;
k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxr1GRgLHjRg1zuyJdkdoHX78NYvVPQ1+P9Y9RK2pE2iLo8SELDvAWHNw1fQ/9Of4yEkH+wS39mx3Y8+BI+DXs27Yd6NmVYe82SDrivqNvLPvMuG/q8XUw0ydUoHzt6UwprB6R7WqPqoFS03w31SswEZR5Cg/Serv/lK7vGNyJVaRYsM1LmHPU8hIrZMFNOen+jRgP74eUJwY5SZUQqC9JOLS4lDo41KKVqlhOsAtkFGVtrpNUG6Pf4ApzoghIrnUCgZGUyLhmoOV7/t9kFC2pr8/uQCR+P0we4l+2fsYXTYI4JSk116hz9y9Nf9osvBfO9jErhlXgG0iKHWCCpDjRQIDAQAB

Now mxtoolbox.com reporting that dkim record is set, but mail-tester still report that dkim is not valid, and I have only 6.9 evaluation.

This is from mailtester report

The DKIM signature of your message is:

   v=1;
   a=rsa-sha256;
   q=dns/txt;
   c=relaxed/relaxed;
   d=somesite.com;
   s=default;
   h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
   bh=jtEBTnlh/aEAkbWi4QPa6XB9Q8ixWH+EtBXeEcEWpa8=;
   b=u+psPQLtiTTL0euU6skeb9+b0/NwF0YfOuq/Jde21+HV6Fk7tCK8lZcu4RKhYt9y2x6r0IvXFilEsDlMCGoOLaKC0FJIu/J0fX6x4Nt+IRS4veQDnfEjKkNy1JJ2OYp0OIXTK08BPNt+0G/aCWVhiu3vK2/GHqUsBdjPeuVaVFCDU7iL0sYeRltTYLge13wkyl0EuaK0lpmXJu2zeKxFuM9NkzIoaw9XygXVoa/OdSxbcjVUcTnkO2NsM+PFbMCW2jZOmWQ8aEBHRO/sou75rnsPljO5Plm9qYSEYRVyQJfc94t6WG+wFi/9jLxFu16m2TNL9h/0NLKrbjdmmQ==;
  
Your public key is:

"v=DKIM1;
k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxr1GRgLHjRg1zuyJoHX78NYvVPQ1+P9Y9RK2pE2iLo8SELDvAWHNw1fQ/9Of4yEkH+wS39mx3Y8+BI+DXs27Yd6NmVYe82SDrivqNvLPvMuG/q8XUw0ydUoHzt6wprB6R7WqPqoFS03w31SswEZR5Cg/Serv/lK7vGyJVaRYsM1LmHPU8hIrZMFNOen+jRgP74eUJwY5SZUQqC9JOLS4lDo41KKVqlhOsAtkFGVtrpNUG6Pf4ApzoghIrnUCgZGUyLhmoOV7/t9kFC8/uQCR+P0we4l+2fsYXTYI4JSk116hz9y9Nf9osvBfO9rhlXgG0iKHWCCpDjRQIDAQAB"
Key length: 2048bits

Your DKIM signature is not valid

So my emails are still not signed with "p" tag, and it is different from dkim public key for that domain.
How to fix this problem, and have outgoing emails properly signed?
Thx,
Davor

 

[cPanelLauren]

Hello,


To confirm you've added the new/correct public key where DNS for the domain is hosted? (where the nameservers are pointed to)

When you email Gmail in the headers of the message do they indicate the DKIM passed or failed?

Thank you,

 

[CoyoteKG]

Hello,
like I already mentioned, domain is on old provider, Inmotion. I edited DNS Zone via cPanel installed on Inmotion hosting. Nameservers are not changed.

Also, domain zone changes are propagated. New mail server works correcty. All changes with my lot tries to edit DKIM, every time are quickly propagated, and I was able to see changes via mxtoolbox and mail-tester

DKIM is Failed
SPF and DMARC are passed

Regards

 

[cPanelLauren]

Hello,


Thank you for checking, I wanted to ensure that mail-tester wasn't cached to an old entry. Because both servers are cPanel servers, what is the result you get when you allow cPanel to automatically create the DKIM entry on the inmotion cPanel server? Right now based off what you're saying you're copying the public key from the new server to the old one.

Thank you,

 

[CoyoteKG]

Hi, thank you for quick response,

On Inmotion panel cPanel server was already created DKIM entry. I did not used it, because I supposed that new server will have another public key.

Maybe I was understandable, but I did not copied that DKIM value from old to new, not vice versa.

Reading Hostgator's guide I mentioned in first post, I found that the only way if domain is hosted by 3rd DNS service, there is no way to get DKIMvalue, and the only way is read header in received mail. Like I did via gmail.
But that value is different every time when mail is sent...

Reading your question I figured now that somehow I need to create DKIM entry? It is not enough to enable in Email Authentication pane?
Need to say that I'm new with cPanel, until now I used Plesk only.

 

[cPanelLauren]

Hello,


The Hostgator article assumes the server is not a cPanel server. Because in your case both servers are cPanel server's I believe the DKIM record should be created on the Inmotion server. To automatically create the DKIM record you can go to cPanel>>Email>>Mail Authentication and enable DKIM (or disable then re-enable) to create the DKIM

Please also ensure that you don't have multiple DKIM records, you might want to remove any that are present from the DNS zone file for the domain on the InMotion cPanel server prior to beginning.

Thank you,

 

[CoyoteKG]

Hi,

OK, so I'm wrongly guessed that mail server which sending mails, somehow signs e-mails, and that signature need to be set in domain TXT record.

I'll try like you suggested.

Thank you.

 

[cPanelLauren]

Hello,

The TXT record is a DNS entry so the MX server wouldn't have anything to actually do with it if the DNS isn't hosted where MX is. Please update us with the outcome!


Thank you,