Is Cpanel's DKIM signing feature not compatible with "hidden master" DNS config?

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
I'm having similar DKIM issues as the OP in this thread - except I haven't connected the problem to EA4 updates, which I do manually. Timeouts are frequent for the validity checks, and I can reload the Email Deliverability page 3 times, and will likely get 2 failures, and then one will be perfectly fine. Do another 3 reloads, and 2 loads will be fine, and one will tell me that DKIM signatures are missing - even though they do exist. Mostly it's the DKIM signatures that turn up missing, but sometimes the PTR checks will fail as well. I've only seen the SPF check fail a few times though.

It seems like it's just an almost nightly issue that my domain's DKIM signatures are randomly disabled. This DKIM instability makes my email horribly unreliable, as various large email services block or junk my outgoing emails apparently because of the inconsistency in antispam measures. I have to go into the domain's Email Deliverability page in cPanel and then get the popup that informs me that the DKIM signatures were found to be disabled, and it has now re-enabled them.

The OP in the previous post has mentioned that disabling IPv6 has apparently resolved their issues. I have done the same, disabling both IPv6 for bind itself, and then disabling it on the system - CentOS 7.8 with WHM v86.0.21 . However, I'm still seeing frequent timeouts in Email Deliverability.

I think I started noticing most of these issues after switching to a "hidden master" DNS config. This is where the public DNS servers are separate from the system itself, however I still run bind, and the visible nameservers (which are a 3rd party DNS provider) are actually slaves for my master dns server that is local - on the server. So external DNS queries do not come to the master - which is why it's called a hidden master. I'm wondering if this nameserver config is just not compatible with cPanel's DKIM feature?

To be clear, I'm not seeing any issues with DNS anywhere else, it's only cPanel. I can use dig and nslookup, and get pretty fast responses, including from my own (publicly visible) nameservers. I'm using Cloudflare's public dns resolvers. Response times from my nameservers can vary a bit though, I've noticed - though I don't think they are particularly slow. My DNS provider is tested to have an average response time of around 40 msec - some are faster and some are slower. So does cPanel expect my external nameservers to always be faster than around 40 msec, and times out if any response takes longer than that?

So, I'd really like to know how to totally disable cPanel's "helpful" DKIM validation checking, as it causes way more problems for me than it solves. My DKIM config is good, the DNS config is good, and I manage it and know it's going to stay that way for a good while, so the constant checking by cPanel does nothing for me except disable my working DKIM config when I don't want it.

And then, some help in figuring out the underlying cause for why this happens, and apparently only from cPanel's Email Deliverability feature, would also be appreciated.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Like the OP of that other thread, this is something that would be most efficiently looked at by our analysts who would have access to your server. There are just too many variables and working parts.