SOLVED Error in DKIM core record

meeven

Well-Known Member
May 8, 2007
132
2
168
I was checking email delivery for a new account I had set up on a cPanel VPS and found that the outgoing email sent from an email account on the VPS and received at my Gmail GSuite account showed a DKIM fail in the headers - the email landed in my GSuite spam folder as the SPF record was in place.

Checking the DKIM core at dkimcore.org, I get the following message:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArrtYHmsizA2
+MV0ZBc1ftJDP+Cl+3AAJx97vDOkFyHf1I3J3+g4r1OxdZXKXYCNYU2YG2PvLY9qXfuRts3nTO
hVcLCc7maNrJduLNqdQxwJmLhTF4lnBwOoSJmNsRjTDTJBdRnYITJcfI88rpnnl/rje8bPnjSL
EuwegLNAMCanVC3oJ6x68kQCxWvUiMGBOe" 072w5ZpfVqt8evZPKzMohsly5/ktRuJGyrGDdb
IT/IKYTnKmBN/gJgBKa2FP00kyrMyauBocAMyCGiZOkzoL+SpiBN/4bifxU/T70XPWfs1xbkyM
X9d+1PfAF0WOzrhiCKXUFDgF1DcrEqYN7izwQIDAQAB\;

This is not a good DKIM key record. You should fix the errors shown in red.

There is a parsing error at character 1 ('"')

A public-key (p=) is required
The parsing error highlights the first quote of the record before the letter v. Also, it seems to me the record contain the public-key (p=), so it's not clear why the checker says it's not there.

Finally, I have never understood why the DKIM keys generated in cPanel have a long string after the end quote - part in the above record that starts with 072 after the end quote and ends in QAB\;. Should I add this in the DNS record, or not?

Any help would be appreciated very much.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,200
363
Hello @meeven,

I was checking email delivery for a new account I had set up on a cPanel VPS and found that the outgoing email sent from an email account on the VPS and received at my Gmail GSuite account showed a DKIM fail in the headers - the email landed in my GSuite spam folder as the SPF record was in place.
Is email sent from your cPanel server relayed through another server?

Checking the DKIM core at dkimcore.org, I get the following message:
That appears to be a false positive. There's a thread on this topic, with a user-submitted workaround if you want to pass the test on that website, at:

Example DKIM record that does not fail

Finally, I have never understood why the DKIM keys generated in cPanel have a long string after the end quote - part in the above record that starts with 072 after the end quote and ends in QAB\;. Should I add this in the DNS record, or not?
We split the DKIM record into 255-byte chunks by design. RFC 1035 specifies that character strings must be split up into chunks of 255 or fewer octets. This can lead to issues when manually pasting the DKIM record into a remote DNS server's interface. Here are a couple of threads you may find helpful to get the record added properly on a remote DNS server:

SOLVED - Is DKIM possible if I'm not running DNS locally?
DKIM Core Key valid when checked but not when added to DNS

Thank you.
 

meeven

Well-Known Member
May 8, 2007
132
2
168
@cPanelMichael, thank you for suggestions.

To answer your question, the email is sent from the cPanel server, not relayed through another server.

About the DKIM record generated by cPanel, after checking the two links you mentioned, here's what's not clear to me, yet. Sorry if I sound dense, but I hope you can clear these up for me:
  • Should I remove the second double quote from the middle of the key and add it to the end, after the \;?
  • Should I remove the space after the second double quote from the middle of the key?
  • Should I remove the trailing \ and semicolon at the end of the key?
Here's the key I shared originally:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArrtYHmsizA2
+MV0ZBc1ftJDP+Cl+3AAJx97vDOkFyHf1I3J3+g4r1OxdZXKXYCNYU2YG2PvLY9qXfuRts3nTO
hVcLCc7maNrJduLNqdQxwJmLhTF4lnBwOoSJmNsRjTDTJBdRnYITJcfI88rpnnl/rje8bPnjSL
EuwegLNAMCanVC3oJ6x68kQCxWvUiMGBOe" 072w5ZpfVqt8evZPKzMohsly5/ktRuJGyrGDdb
IT/IKYTnKmBN/gJgBKa2FP00kyrMyauBocAMyCGiZOkzoL+SpiBN/4bifxU/T70XPWfs1xbkyM
X9d+1PfAF0WOzrhiCKXUFDgF1DcrEqYN7izwQIDAQAB\;
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,200
363
About the DKIM record generated by cPanel, after checking the two links you mentioned, here's what's not clear to me, yet. Sorry if I sound dense, but I hope you can clear these up for me:
  • Should I remove the second double quote from the middle of the key and add it to the end, after the \;?
  • Should I remove the space after the second double quote from the middle of the key?
  • Should I remove the trailing \ and semicolon at the end of the key?
Hello @meeven,

You shouldn't have to alter the DKIM record at all if the DNS for the domain is hosted by the cPanel server. The instructions on how to alter the record are only applicable if the domain name's DNS records are hosted externally and the remote DNS server does not accept the record as-is. Can you confirm if that's the case, and if so, let us know where the domain's DNS is hosted?

Thank you.
 

meeven

Well-Known Member
May 8, 2007
132
2
168
Hello @meeven,

You shouldn't have to alter the DKIM record at all if the DNS for the domain is hosted by the cPanel server. The instructions on how to alter the record are only applicable if the domain name's DNS records are hosted externally and the remote DNS server does not accept the record as-is. Can you confirm if that's the case, and if so, let us know where the domain's DNS is hosted?

Thank you.
Hello @cPanelMichael, the domain's DNS is hosted at Linode; some other domains have their DNS at Route53 and EasyDNS. Thanks to your links, I did a bit of testing and was able to have the DKIM keys authenticate successfully.

To anyone else who may come across this thread, here's a summary of DKIM config on cPanel:
  • If your domain's DNS is hosted by the cPanel server, there's pretty much nothing to do. You are set if you see the DKIM check pass.
  • If your domain's DNS is hosted externally, here's what should be modified in the DKIM key generated by cPanel:
    • Remove the trailing back slash and semi-colon at the end of the key such that your key always ends with the letters QAB
    • Remove the end quote in the DKIM key generated by cPanel (occurs somewhere in the middle of the key)
    • Remove the the empty space between the end quote and the next letter
    • Copy the entire string, starting from v=DKIM and ending with QAB into the 'Value' field of the DNS TXT record. The 'Name' field of the DNS record should have 'default._domainkey' in it (without the single quotes, of course)
    • Depending upon your external DNS provider, you may need to wrap the DKIM key string within double quotes, just like cPanel or exclude the double quotes - Linode DNS manager, for example, doesn't need the double quotes and adds it behind the scene.
 
  • Like
Reactions: nemwiper

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,200
363
Hello @meeven,

I'm glad to see you were able to get it sorted out. Thank you for sharing the outcome and workaround instructions.
 

jcalvert

Registered
Jun 27, 2018
2
0
1
Hawaii
cPanel Access Level
Root Administrator
I also encountered this bug with how WHM displays the domain key TXT record in the DNS zone. In my case, I had to copy the contents of that record so that my client could paste it into his Cloudflare account's DNS zone. This approach didn't work at all, because the contents of the domain key TXT record shown by WHM are totally incorrect. My solution was to find the directory where the domain keys are stored in CentOS and grab the public key from there. Then I pasted this into the "p=" part of the TXT record, to be used at Cloudflare. Once I did this, a test email to a Gmail account immediately reported that DKIM was correct. Here is the directory where the domain keys are stored: /var/cpanel/domain_keys.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,200
363
Hello @jcalvert,

The TXT record for DKIM will look different in the DNS zone because we split the record into 255-byte chunks due to RFC 1035 specifying that character strings must be split up into chunks of 255 or fewer octets.

Thus, let's say the public key found in /var/cpanel/domain_keys/public/domain.tld looks like this:

Code:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYrRWuN6UJMtiML7RLYP
LjDY4j/iXrU1h++0/C2k+y40aXd3nAQmL/DRDBgeHUQjbfd0eycUfO9AlrMFMA+4
P6teINmef1Vtm+LVixJ2RfY1KVt2j5+dH1LRVhGzI+ieZukLc3AT7ASXK/XP29Wg
zgBgov2C3UHHpmtVbwXj+JSkbw+zBCUFAhAQSY+zPN5I1o4d5tiBqPb/1z8uxWDQ
xrspZYOv5nWsCY3NidWCMoys9I8bND6W5731mTWc/m4/ttMCSqcdiFxtid/tk/5g
zX7Z5s8ijcejbt3YqKLA0wvYPIFb29wkL8CSLOtp2gHo9QB2+NZ/o8i5Dp/Zd8t3
mwIDAQAB
-----END PUBLIC KEY-----
The TXT entry in the DNS zone on the cPanel server (corresponding to what appears in the cPanel and WHM UI) will look like this:

Code:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYrRWuN6UJMtiML7RLYPLjDY4j/iXrU1h++0/C2k+y40aXd3nAQmL/DRDBgeHUQjbfd0eycUfO9AlrMFMA+4P6teINmef1Vtm+LVixJ2RfY1KVt2j5+dH1LRVhGzI+ieZukLc3AT7ASXK/XP29WgzgBgov2C3UHHpmtVbwXj+JSkbw+zBCUFAhAQSY+zPN5I1" o4d5tiBqPb/1z8uxWDQxrspZYOv5nWsCY3NidWCMoys9I8bND6W5731mTWc/m4/ttMCSqcdiFxtid/tk/5gzX7Z5s8ijcejbt3YqKLA0wvYPIFb29wkL8CSLOtp2gHo9QB2+NZ/o8i5Dp/Zd8t3mwIDAQAB\;
Often times a third-party DNS provider will automatically split the TXT record using their own internal functionality, and thus they require you to enter the record in it's raw form (so their system can split the record up for you). Since cPanel & WHM is providing you with the record that's already split up, their interface won't accept it. The method you used to obtain the key in it's raw form from /var/cpanel/domain_keys/public/domain.tld for use in the TXT record is a valid workaround, and matches what CloudFlare suggests at:

How do I add DKIM records?

Thank you.
 
  • Like
Reactions: Samet Chan