SOLVED Is DKIM possible if I'm not running DNS locally?

ItsMattSon

Well-Known Member
Sep 5, 2016
176
37
103
Perth
cPanel Access Level
Root Administrator
Hi guys,

Things to keep in mind:
1. I'm not running a DNS server locally as I choose not to. I use my registrar's DNS management tool on their end to achieve my DNS requirements.

My question is when I add the TXT record into Namecheap's DNS tool, where do I find the DKIM Public Key on my server?

I looked in WHM's "Edit DNS Zone" area and used that (below) in a TXT record (default._domainkey) but I'm not sure whether that's correct/complete? The whole thing? or just up to a certain part?

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3y4yF9c3qwUj57rbFaEKpipd3ZmTjNg8oiVgFY7io2zxbfamzivfvoNMPQImjBjUpBmbb0IV9dTWe8ynZ9gymzJ9S6VGFcBGFdPB/On29zMkLesiyHnntWRg2HuyWLQ41NDl1qrYY7pF4veDoFDeeu50zwnNElCvg90Gx+TupmJerMIJz0s2Jx+IHQg" Y+1W13VzfAfDLFJNPPYJXv7TbY4+WXs1oEhzGAZPaaTIy6lYH38Hj/QQAt2Zq4pwyOhhCyUQWmqIb757CZSQiQx8qFugRMVpA1YGAAu5lHeQD7Jo1ju0FR7bJ7bJGRHHCCxzgj0UwYFtwBtL/lj2QIDAQAB\;

Please note that I have tried copy/pasting the whole lot into my TXT record but Namecheap cuts it off at the bolded character. I have no idea why it does though :/
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Please note that I have tried copy/pasting the whole lot into my TXT record but Namecheap cuts it off at the bolded character. I have no idea why it does though :/
Hi Matt,

This is actually known issue when attempting to add a DKIM TXT record generated through cPanel via NameCheap's DNS record editor. There's a thread on this topic that should help at:

Generate 1024-bit DKIM keys

Thanks!
 
  • Like
Reactions: ItsMattSon

ItsMattSon

Well-Known Member
Sep 5, 2016
176
37
103
Perth
cPanel Access Level
Root Administrator
Thank you so much! That explains everything :)

As you mentioned in that thread, you said cPanel updates overwrite the DKIM.pm file (understandably) but if I edit and generate a key does that key get overwritten also? Or on a cycle? (happy to manually update my DKIM keys periodically)
 

ItsMattSon

Well-Known Member
Sep 5, 2016
176
37
103
Perth
cPanel Access Level
Root Administrator
Disregard that last message as I used this post from that thread instead of the original poster's advice and I'm confident it has achieved what I needed :)

But my query still stands around overwrites of keys; Do the keys at /var/cpanel/domain_keys/private/domain.tld get overwritten with each cPanel update, or periodically rotated by cPanel for security reasons? Just need to know if I have to keep up with those.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
But my query still stands around overwrites of keys; Do the keys at /var/cpanel/domain_keys/private/domain.tld get overwritten with each cPanel update, or periodically rotated by cPanel for security reasons? Just need to know if I have to keep up with those.
The keys within the /var/cpanel/domain_keys/private/ directory are only overwritten if you disable and then re-enable DKIM on the cPanel account. They are otherwise left in their original state.

Thank you.
 
  • Like
Reactions: ItsMattSon

ItsMattSon

Well-Known Member
Sep 5, 2016
176
37
103
Perth
cPanel Access Level
Root Administrator
Fantastic. That's what I wanted to hear ^_^

Interestingly, I think part 2 of my issue is that my emails (sent from RoundCube webmail) don't appear to be "signed" so they don't pass DKIM tests on mail-tester.com, verifier.port25.com or dkimvalidator.com. There definitely doesn't appear to be a DKIM-Signature header in the mail I send anyway.

Is there a way to determine whether they are being signed other than when sent to one of those sites?

And additionally is there a way to determine whether the signature is valid?

According to cPanel, under Email > Authentication, the status of DKIM is "Status: Enabled Active (DNS Check Passed)".

Worth keeping in mind also is that emails from the server (such as cron emails or notifications from csf/lfd) also have no DKIM-Signature header if that helps.

Any ideas where to start?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Interestingly, I think part 2 of my issue is that my emails (sent from RoundCube webmail) don't appear to be "signed" so they don't pass DKIM tests on mail-tester.com, verifier.port25.com or dkimvalidator.com. There definitely doesn't appear to be a DKIM-Signature header in the mail I send anyway.
Is your email routed through a smart host, or an email relay server (providers such as GoDaddy often do this)?

You may also find a utility like this helpful when attempting to verify a DKIM record:

DKIM Core Tools

Thank you.
 
  • Like
Reactions: ItsMattSon

ItsMattSon

Well-Known Member
Sep 5, 2016
176
37
103
Perth
cPanel Access Level
Root Administrator
Ah yes, the old "being with GoDaddy" being the probable cause haha. You're right actually, I am, and you appear to be spot-on about it being why, as I found another thread on here (OP was with GoDaddy) which helped me where to look. Thanks to your mentioning of the relay/smart host which GoDaddy does indeed use.

I had to go into WHM > Exim Configuration Manager > Advanced Editor and I modified the ROUTERSTART section from remote_smtp to dkim_remote_smtp, as follows:

send_to_smart_host:
driver = manualroute
route_list = !+local_domains dedrelay.secureserver.net
transport = dkim_remote_smtp

Note: I didn't add dedrelay.secureserver.net but it looks to be accurate, as per this knowledge article.

So after changing the transport, my emails are now signed. They don't validate though, unfortunately. I'm still working on that part.

Any ideas welcome! Bearing in mind that my private key in /var/cpanel/domain_keys/private/domain.tld is a 1024-bit key now (since NameCheap doesn't allow the default cPanel 2048-bit key).

Code:
DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=domain.tld; s=default; h=Message-ID:Subject:To:From:Date:
    Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To:Cc:
    Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
    Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
    List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
     bh=9uhIFeBrS6ZyOuZeWQ8dcB3HjqIMY/dl0QF4u1Xj2Nc=; b=BvPOS+Ce3/hTdL3tjQ6e/b9lQ
    KB1eCK5RZXRIK1p+zSc0OqkfyHkSP9aUQptorGLT36r146b7C0sfUnQtlyE8Lr+/7GqHstdCOgpxJ
    NkPuOf6ZUkK4Po0t9IL8tZsiZ83RWpITdgfKApTw1upbviVVXJQ0QiuCZ2bBoTK89/ldU=;


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          domain.tld
s= Selector:        default
q= Protocol:        dns/txt
bh=                 9uhIFeBrS6ZyOuZeWQ8dcB3HjqIMY/dl0QF4u1Xj2Nc=
h= Signed Headers:  Message-ID:Subject:To:From:Date:
    Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To:Cc:
    Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
    Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
    List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
b= Data:            BvPOS+Ce3/hTdL3tjQ6e/b9lQ
    KB1eCK5RZXRIK1p+zSc0OqkfyHkSP9aUQptorGLT36r146b7C0sfUnQtlyE8Lr+/7GqHstdCOgpxJ
    NkPuOf6ZUkK4Po0t9IL8tZsiZ83RWpITdgfKApTw1upbviVVXJQ0QiuCZ2bBoTK89/ldU=
Public Key DNS Lookup

Building DNS Query for default._domainkey.domain.tld
Retrieved this publickey from DNS:
Validating Signature

result = invalid
Details: public key: not available
Thanks very much in advance!
 

ItsMattSon

Well-Known Member
Sep 5, 2016
176
37
103
Perth
cPanel Access Level
Root Administrator
So after changing the transport, my emails are now signed. They don't validate though, unfortunately. I'm still working on that part.

result = invalid
Details: public key: not available
Sorted! Thanks very much @cPanelMichael - very helpful as always :)

In the past, for troubleshooting, I set my TXT record to default._domainkey.domain.tld which obviously isn't what it looks for. I removed the domain.tld so it's just default._domainkey as the host in the record and now the DKIM shows as pass.

Code:
Public Key DNS Lookup

Building DNS Query for default._domainkey.domain.tld
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRPHwLRb6jdxSFbTMWX8UsNH8CM4yrB0p5A3YH4qNLh79TmLhnUdc6Glnh6Mb3Xyj/5/VFBUexmObObPV9CshvtmTskTrlQX0/f6NxGvc700wj0vLtIrecuNesHrvdM9JEe5dkx3SfkKt8eIbbyP+LegKypeOxbjJefDhD0oEBtQIDAQAB
Validating Signature

result = pass
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
In the past, for troubleshooting, I set my TXT record to default._domainkey.domain.tld which obviously isn't what it looks for. I removed the domain.tld so it's just default._domainkey as the host in the record and now the DKIM shows as pass.
Hi Matt,

I'm happy to see it's all sorted! Thanks for sharing the solution.
 
  • Like
Reactions: ItsMattSon