Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Is DKIM possible if I'm not running DNS locally?

Discussion in 'E-mail Discussions' started by ItsMattSon, Mar 9, 2017.

Tags:
  1. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi guys,

    Things to keep in mind:
    1. I'm not running a DNS server locally as I choose not to. I use my registrar's DNS management tool on their end to achieve my DNS requirements.

    My question is when I add the TXT record into Namecheap's DNS tool, where do I find the DKIM Public Key on my server?

    I looked in WHM's "Edit DNS Zone" area and used that (below) in a TXT record (default._domainkey) but I'm not sure whether that's correct/complete? The whole thing? or just up to a certain part?

    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3y4yF9c3qwUj57rbFaEKpipd3ZmTjNg8oiVgFY7io2zxbfamzivfvoNMPQImjBjUpBmbb0IV9dTWe8ynZ9gymzJ9S6VGFcBGFdPB/On29zMkLesiyHnntWRg2HuyWLQ41NDl1qrYY7pF4veDoFDeeu50zwnNElCvg90Gx+TupmJerMIJz0s2Jx+IHQg" Y+1W13VzfAfDLFJNPPYJXv7TbY4+WXs1oEhzGAZPaaTIy6lYH38Hj/QQAt2Zq4pwyOhhCyUQWmqIb757CZSQiQx8qFugRMVpA1YGAAu5lHeQD7Jo1ju0FR7bJ7bJGRHHCCxzgj0UwYFtwBtL/lj2QIDAQAB\;

    Please note that I have tried copy/pasting the whole lot into my TXT record but Namecheap cuts it off at the bolded character. I have no idea why it does though :/
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi Matt,

    This is actually known issue when attempting to add a DKIM TXT record generated through cPanel via NameCheap's DNS record editor. There's a thread on this topic that should help at:

    Generate 1024-bit DKIM keys

    Thanks!
     
    ItsMattSon likes this.
  3. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Thank you so much! That explains everything :)

    As you mentioned in that thread, you said cPanel updates overwrite the DKIM.pm file (understandably) but if I edit and generate a key does that key get overwritten also? Or on a cycle? (happy to manually update my DKIM keys periodically)
     
  4. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Disregard that last message as I used this post from that thread instead of the original poster's advice and I'm confident it has achieved what I needed :)

    But my query still stands around overwrites of keys; Do the keys at /var/cpanel/domain_keys/private/domain.tld get overwritten with each cPanel update, or periodically rotated by cPanel for security reasons? Just need to know if I have to keep up with those.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The keys within the /var/cpanel/domain_keys/private/ directory are only overwritten if you disable and then re-enable DKIM on the cPanel account. They are otherwise left in their original state.

    Thank you.
     
    ItsMattSon likes this.
  6. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Fantastic. That's what I wanted to hear ^_^

    Interestingly, I think part 2 of my issue is that my emails (sent from RoundCube webmail) don't appear to be "signed" so they don't pass DKIM tests on mail-tester.com, verifier.port25.com or dkimvalidator.com. There definitely doesn't appear to be a DKIM-Signature header in the mail I send anyway.

    Is there a way to determine whether they are being signed other than when sent to one of those sites?

    And additionally is there a way to determine whether the signature is valid?

    According to cPanel, under Email > Authentication, the status of DKIM is "Status: Enabled Active (DNS Check Passed)".

    Worth keeping in mind also is that emails from the server (such as cron emails or notifications from csf/lfd) also have no DKIM-Signature header if that helps.

    Any ideas where to start?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Is your email routed through a smart host, or an email relay server (providers such as GoDaddy often do this)?

    You may also find a utility like this helpful when attempting to verify a DKIM record:

    DKIM Core Tools

    Thank you.
     
    ItsMattSon likes this.
  8. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Ah yes, the old "being with GoDaddy" being the probable cause haha. You're right actually, I am, and you appear to be spot-on about it being why, as I found another thread on here (OP was with GoDaddy) which helped me where to look. Thanks to your mentioning of the relay/smart host which GoDaddy does indeed use.

    I had to go into WHM > Exim Configuration Manager > Advanced Editor and I modified the ROUTERSTART section from remote_smtp to dkim_remote_smtp, as follows:

    send_to_smart_host:
    driver = manualroute
    route_list = !+local_domains dedrelay.secureserver.net
    transport = dkim_remote_smtp

    Note: I didn't add dedrelay.secureserver.net but it looks to be accurate, as per this knowledge article.

    So after changing the transport, my emails are now signed. They don't validate though, unfortunately. I'm still working on that part.

    Any ideas welcome! Bearing in mind that my private key in /var/cpanel/domain_keys/private/domain.tld is a 1024-bit key now (since NameCheap doesn't allow the default cPanel 2048-bit key).

    Code:
    DKIM Information:
    
    DKIM Signature
    
    Message contains this DKIM Signature:
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=domain.tld; s=default; h=Message-ID:Subject:To:From:Date:
        Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To:Cc:
        Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
        Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=9uhIFeBrS6ZyOuZeWQ8dcB3HjqIMY/dl0QF4u1Xj2Nc=; b=BvPOS+Ce3/hTdL3tjQ6e/b9lQ
        KB1eCK5RZXRIK1p+zSc0OqkfyHkSP9aUQptorGLT36r146b7C0sfUnQtlyE8Lr+/7GqHstdCOgpxJ
        NkPuOf6ZUkK4Po0t9IL8tZsiZ83RWpITdgfKApTw1upbviVVXJQ0QiuCZ2bBoTK89/ldU=;
    
    
    Signature Information:
    v= Version:         1
    a= Algorithm:       rsa-sha256
    c= Method:          relaxed/relaxed
    d= Domain:          domain.tld
    s= Selector:        default
    q= Protocol:        dns/txt
    bh=                 9uhIFeBrS6ZyOuZeWQ8dcB3HjqIMY/dl0QF4u1Xj2Nc=
    h= Signed Headers:  Message-ID:Subject:To:From:Date:
        Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To:Cc:
        Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
        Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
    b= Data:            BvPOS+Ce3/hTdL3tjQ6e/b9lQ
        KB1eCK5RZXRIK1p+zSc0OqkfyHkSP9aUQptorGLT36r146b7C0sfUnQtlyE8Lr+/7GqHstdCOgpxJ
        NkPuOf6ZUkK4Po0t9IL8tZsiZ83RWpITdgfKApTw1upbviVVXJQ0QiuCZ2bBoTK89/ldU=
    Public Key DNS Lookup
    
    Building DNS Query for default._domainkey.domain.tld
    Retrieved this publickey from DNS:
    Validating Signature
    
    result = invalid
    Details: public key: not available
    Thanks very much in advance!
     
  9. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    140
    Likes Received:
    29
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Sorted! Thanks very much @cPanelMichael - very helpful as always :)

    In the past, for troubleshooting, I set my TXT record to default._domainkey.domain.tld which obviously isn't what it looks for. I removed the domain.tld so it's just default._domainkey as the host in the record and now the DKIM shows as pass.

    Code:
    Public Key DNS Lookup
    
    Building DNS Query for default._domainkey.domain.tld
    Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRPHwLRb6jdxSFbTMWX8UsNH8CM4yrB0p5A3YH4qNLh79TmLhnUdc6Glnh6Mb3Xyj/5/VFBUexmObObPV9CshvtmTskTrlQX0/f6NxGvc700wj0vLtIrecuNesHrvdM9JEe5dkx3SfkKt8eIbbyP+LegKypeOxbjJefDhD0oEBtQIDAQAB
    Validating Signature
    
    result = pass
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi Matt,

    I'm happy to see it's all sorted! Thanks for sharing the solution.
     
    ItsMattSon likes this.
Loading...

Share This Page