Per Hlom

Registered
Apr 30, 2016
1
0
1
Italy
cPanel Access Level
Website Owner
MODERATOR NOTE: We've removed this post as there should no longer be issues with 2048 keys. If you're seeing an issue with that key length please let us know the specific issues you're running into so we can investigate that.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

I've moved this thread to our "Workarounds" forum. Keep in mind that cPanel updates will overwrite the /usr/local/cpanel/Cpanel/DKIM.pm file, so you may need to manually patch it after each update until a resolution is reached on the remote DNS provider's interface.

Thank you.
 

letmein

Registered
Oct 27, 2014
2
3
53
cPanel Access Level
Root Administrator
Although my external DNS servers accept 2048 bit keys perfectly, I noticed that Microsoft (live.com, hotmail.com, etc.) is unable and/or unwilling to verify 2048 bit keys (dkim=temperror), which forced me to lower the size of DKIM keys for domains that use online mail forms.

To avoid having to edit certain settings after updates, I use this method to create keys per domain:
  1. in the user's home directory, generate a 1024 bit private and public key:
    Code:
    # openssl genrsa -out private.key 1024
    # openssl rsa -in private.key -pubout -out public.key
  2. backup your old key:
    Code:
    # mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domaint.tld.old
  3. move the newly generated private key to its proper location:
    Code:
    # mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld
  4. set ownership and permissions:
    Code:
    # chown root:mail /var/cpanel/domain_keys/private/domain.tld
    # chmod 640 /var/cpanel/domain_keys/private/domain.tld
  5. update your DNS record with the new public key that you will find in public.key:
    Code:
    # cat public.key

Tested on CentOS 6.8 x86_64 with cPanel 60.0 (build 26).
 

lapsutrix

Registered
Aug 7, 2016
4
0
1
vietvam
cPanel Access Level
Root Administrator
Hi letmein
Thank for that. following this, everything is ok now but when i do the email to gmail.com i see the error "DKIM: NEUTRAL with domain null"
I have tested with dkimcore.org/c/keycheck, it is ok

do you know where is the problem how can i check on it?

thanks
 
Last edited by a moderator:

letmein

Registered
Oct 27, 2014
2
3
53
cPanel Access Level
Root Administrator
I have tested with dkimcore.org/c/keycheck, it is ok
I wouldn't rely on just one test. You can verify your settings with multiple parties like dkimvalidator.com and mail-tester.com. Enabling and keeping an eye on DMARC-reports may also provide more insight.

Based on the single error (generated by which party? Google? what do other receiving parties say?) you posted, my guess would be that your SMTP does not sign your outgoing mails correctly or does not sign them at all.
 
Last edited by a moderator:
  • Like
Reactions: KaiserTom

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Yes, it looks like a typo by the original poster. That should show "1024".

Thank you.
 

KaiserTom

Registered
Jan 17, 2018
2
3
3
UK
cPanel Access Level
Root Administrator
Thank you @letmein this has solved a problem we've been having for some time now.

Although my external DNS servers accept 2048 bit keys perfectly, I noticed that Microsoft (live.com, hotmail.com, etc.) is unable and/or unwilling to verify 2048 bit keys (dkim=temperror), which forced me to lower the size of DKIM keys for domains that use online mail forms.

To avoid having to edit certain settings after updates, I use this method to create keys per domain:
  1. in the user's home directory, generate a 1024 bit private and public key:
    Code:
    # openssl genrsa -out private.key 1024
    # openssl rsa -in private.key -pubout -out public.key
  2. backup your old key:
    Code:
    # mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domaint.tld.old
  3. move the newly generated private key to its proper location:
    Code:
    # mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld
  4. set ownership and permissions:
    Code:
    # chown root:mail /var/cpanel/domain_keys/private/domain.tld
    # chmod 640 /var/cpanel/domain_keys/private/domain.tld
  5. update your DNS record with the new public key that you will find in public.key:
    Code:
    # cat public.key

Tested on CentOS 6.8 x86_64 with cPanel 60.0 (build 26).
 
  • Like
Reactions: letmein

cPanelFelipe

Member
Staff member
Apr 10, 2013
21
14
128
Just to float an idea, do eNom et al. handle ed25519 keys in DKIM?

There is no standard for ECDSA keys in DKIM, but ed25519 would provide key sizes that easily fit within a DNS character-string, which I assume is the problem with 2,048-bit RSA in DKIM.
 

Gabriele Lo Surdo

Registered
May 30, 2021
1
2
0
Milan, Italy
cPanel Access Level
Root Administrator
I solved my issues with hover.com (not supporting 2048-bit records) following a slightly modified version of the @letmein instructions.

Please find below the commands I used. Replace "user" and "domain.tld" with your username and your domain.

Code:
cd /home/user
Code:
openssl genrsa -out private.key 1024
Code:
openssl rsa -in private.key -pubout -out public.key
Code:
mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domain.tld.old
Code:
mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld
Code:
mv /var/cpanel/domain_keys/public/domain.tld /var/cpanel/domain_keys/public/domain.tld.old
Code:
mv /home/user/public.key /var/cpanel/domain_keys/public/domain.tld
Code:
chown root:mail /var/cpanel/domain_keys/private/domain.tld
Code:
chmod 640 /var/cpanel/domain_keys/private/domain.tld
After entering all these commands go to your Cpanel dashboard, click on "Email Deliverability", and then on the "Manage" button next to your domain name. There you can find the DKIM record details.
 

siteturbo

Registered
Aug 20, 2021
1
0
0
Fort Worth, TX
cPanel Access Level
Root Administrator
I solved my issues with hover.com (not supporting 2048-bit records) following a slightly modified version of the @letmein instructions.

Please find below the commands I used. Replace "user" and "domain.tld" with your username and your domain.

Code:
cd /home/user
Code:
openssl genrsa -out private.key 1024
Code:
openssl rsa -in private.key -pubout -out public.key
Code:
mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domain.tld.old
Code:
mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld
Code:
mv /var/cpanel/domain_keys/public/domain.tld /var/cpanel/domain_keys/public/domain.tld.old
Code:
mv /home/user/public.key /var/cpanel/domain_keys/public/domain.tld
Code:
chown root:mail /var/cpanel/domain_keys/private/domain.tld
Code:
chmod 640 /var/cpanel/domain_keys/private/domain.tld
After entering all these commands go to your Cpanel dashboard, click on "Email Deliverability", and then on the "Manage" button next to your domain name. There you can find the DKIM record details.
Worked perfectly. Thank you!!!
 
Thread starter Similar threads Forum Replies Date
S Workarounds and Optimization 3