Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Error in DKIM core record

Discussion in 'E-mail Discussion' started by meeven, Jun 2, 2018.

Tags:
  1. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    132
    Likes Received:
    1
    Trophy Points:
    168
    I was checking email delivery for a new account I had set up on a cPanel VPS and found that the outgoing email sent from an email account on the VPS and received at my Gmail GSuite account showed a DKIM fail in the headers - the email landed in my GSuite spam folder as the SPF record was in place.

    Checking the DKIM core at dkimcore.org, I get the following message:

    The parsing error highlights the first quote of the record before the letter v. Also, it seems to me the record contain the public-key (p=), so it's not clear why the checker says it's not there.

    Finally, I have never understood why the DKIM keys generated in cPanel have a long string after the end quote - part in the above record that starts with 072 after the end quote and ends in QAB\;. Should I add this in the DNS record, or not?

    Any help would be appreciated very much.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @meeven,

    Is email sent from your cPanel server relayed through another server?

    That appears to be a false positive. There's a thread on this topic, with a user-submitted workaround if you want to pass the test on that website, at:

    Example DKIM record that does not fail

    We split the DKIM record into 255-byte chunks by design. RFC 1035 specifies that character strings must be split up into chunks of 255 or fewer octets. This can lead to issues when manually pasting the DKIM record into a remote DNS server's interface. Here are a couple of threads you may find helpful to get the record added properly on a remote DNS server:

    SOLVED - Is DKIM possible if I'm not running DNS locally?
    DKIM Core Key valid when checked but not when added to DNS

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    132
    Likes Received:
    1
    Trophy Points:
    168
    @cPanelMichael, thank you for suggestions.

    To answer your question, the email is sent from the cPanel server, not relayed through another server.

    About the DKIM record generated by cPanel, after checking the two links you mentioned, here's what's not clear to me, yet. Sorry if I sound dense, but I hope you can clear these up for me:
    • Should I remove the second double quote from the middle of the key and add it to the end, after the \;?
    • Should I remove the space after the second double quote from the middle of the key?
    • Should I remove the trailing \ and semicolon at the end of the key?
    Here's the key I shared originally:

     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @meeven,

    You shouldn't have to alter the DKIM record at all if the DNS for the domain is hosted by the cPanel server. The instructions on how to alter the record are only applicable if the domain name's DNS records are hosted externally and the remote DNS server does not accept the record as-is. Can you confirm if that's the case, and if so, let us know where the domain's DNS is hosted?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    132
    Likes Received:
    1
    Trophy Points:
    168
    Hello @cPanelMichael, the domain's DNS is hosted at Linode; some other domains have their DNS at Route53 and EasyDNS. Thanks to your links, I did a bit of testing and was able to have the DKIM keys authenticate successfully.

    To anyone else who may come across this thread, here's a summary of DKIM config on cPanel:
    • If your domain's DNS is hosted by the cPanel server, there's pretty much nothing to do. You are set if you see the DKIM check pass.
    • If your domain's DNS is hosted externally, here's what should be modified in the DKIM key generated by cPanel:
      • Remove the trailing back slash and semi-colon at the end of the key such that your key always ends with the letters QAB
      • Remove the end quote in the DKIM key generated by cPanel (occurs somewhere in the middle of the key)
      • Remove the the empty space between the end quote and the next letter
      • Copy the entire string, starting from v=DKIM and ending with QAB into the 'Value' field of the DNS TXT record. The 'Name' field of the DNS record should have 'default._domainkey' in it (without the single quotes, of course)
      • Depending upon your external DNS provider, you may need to wrap the DKIM key string within double quotes, just like cPanel or exclude the double quotes - Linode DNS manager, for example, doesn't need the double quotes and adds it behind the scene.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @meeven,

    I'm glad to see you were able to get it sorted out. Thank you for sharing the outcome and workaround instructions.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. jcalvert

    jcalvert Registered

    Joined:
    Jun 27, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    I also encountered this bug with how WHM displays the domain key TXT record in the DNS zone. In my case, I had to copy the contents of that record so that my client could paste it into his Cloudflare account's DNS zone. This approach didn't work at all, because the contents of the domain key TXT record shown by WHM are totally incorrect. My solution was to find the directory where the domain keys are stored in CentOS and grab the public key from there. Then I pasted this into the "p=" part of the TXT record, to be used at Cloudflare. Once I did this, a test email to a Gmail account immediately reported that DKIM was correct. Here is the directory where the domain keys are stored: /var/cpanel/domain_keys.
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @jcalvert,

    The TXT record for DKIM will look different in the DNS zone because we split the record into 255-byte chunks due to RFC 1035 specifying that character strings must be split up into chunks of 255 or fewer octets.

    Thus, let's say the public key found in /var/cpanel/domain_keys/public/domain.tld looks like this:

    Code:
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYrRWuN6UJMtiML7RLYP
    LjDY4j/iXrU1h++0/C2k+y40aXd3nAQmL/DRDBgeHUQjbfd0eycUfO9AlrMFMA+4
    P6teINmef1Vtm+LVixJ2RfY1KVt2j5+dH1LRVhGzI+ieZukLc3AT7ASXK/XP29Wg
    zgBgov2C3UHHpmtVbwXj+JSkbw+zBCUFAhAQSY+zPN5I1o4d5tiBqPb/1z8uxWDQ
    xrspZYOv5nWsCY3NidWCMoys9I8bND6W5731mTWc/m4/ttMCSqcdiFxtid/tk/5g
    zX7Z5s8ijcejbt3YqKLA0wvYPIFb29wkL8CSLOtp2gHo9QB2+NZ/o8i5Dp/Zd8t3
    mwIDAQAB
    -----END PUBLIC KEY-----
    The TXT entry in the DNS zone on the cPanel server (corresponding to what appears in the cPanel and WHM UI) will look like this:

    Code:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYrRWuN6UJMtiML7RLYPLjDY4j/iXrU1h++0/C2k+y40aXd3nAQmL/DRDBgeHUQjbfd0eycUfO9AlrMFMA+4P6teINmef1Vtm+LVixJ2RfY1KVt2j5+dH1LRVhGzI+ieZukLc3AT7ASXK/XP29WgzgBgov2C3UHHpmtVbwXj+JSkbw+zBCUFAhAQSY+zPN5I1" o4d5tiBqPb/1z8uxWDQxrspZYOv5nWsCY3NidWCMoys9I8bND6W5731mTWc/m4/ttMCSqcdiFxtid/tk/5gzX7Z5s8ijcejbt3YqKLA0wvYPIFb29wkL8CSLOtp2gHo9QB2+NZ/o8i5Dp/Zd8t3mwIDAQAB\;
    Often times a third-party DNS provider will automatically split the TXT record using their own internal functionality, and thus they require you to enter the record in it's raw form (so their system can split the record up for you). Since cPanel & WHM is providing you with the record that's already split up, their interface won't accept it. The method you used to obtain the key in it's raw form from /var/cpanel/domain_keys/public/domain.tld for use in the TXT record is a valid workaround, and matches what CloudFlare suggests at:

    How do I add DKIM records?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Samet Chan likes this.
  9. jcalvert

    jcalvert Registered

    Joined:
    Jun 27, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    @cPanelMichael, thanks. The problem seems to be that CloudFlare doesn't allow the split form of the record on input. I would say that a good UI would allow either the split form or the unsplit form. WHM does it right.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice