Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is DKIM still relevent?

Discussion in 'E-mail Discussions' started by keat63, Apr 25, 2017.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    884
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Today as a security test on our staff, I decided to spoof an email, to see if they could spot the fake.
    It seems for what ever reason, i must have previously disabled DKIM/SPF, as worryingly the spoof got through unchallenged.

    Why is DKIM/SPF not part of the standard exim config, I know we used to use it, so I can only assume I disabled it for a reason.

    is there an alternative to check the authenticity of a sending address ?
     
    #1 keat63, Apr 25, 2017
    Last edited: Apr 25, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    While setting up the DKIM records is important to ensure remote mail servers can verify those records, you have to enable the following options under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" if you want SPF/DKIM records verified on incoming email:

    "Allow DKIM verification for incoming messages"
    "Reject DKIM failures"

    As far as additional features, note that you can configure DMARC records for your domain names as of cPanel version 64:

    Thank you.
     
    linux4me2 likes this.
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    884
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I previously disabled DKIM as it was tagging legitimate email.
    Maybe we have some customers who use mail forwarding services or something.

    So the story goes, that I successfully spoofed a financial transaction, it was so accurate, that worryingly no one in the organisation picked up that it was indeed a spoof.
    I need to come up with a method whereby DKIM failures are flagged rather than rejected.

    Would something like CSF MailScanner do this ?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    While unsupported, you could enable "Allow DKIM verification for incoming messages" and leave "Reject DKIM failures" disabled if you wanted to setup your own custom Exim configuration that performs another action (e.g. redirect, filter):

    57. Support for DKIM (DomainKeys Identified Mail)

    As far as MailScanner, you'd need to check with their support team to verify what options are available with the application.

    Thank you.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    884
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I checked with MailScanner and it doesn't perform what I'd hoped.

    Today, I had to disable DKIM as it was blocking legitimate email.
    Our insurance advisor uses outlook.com, but send his emails from hisdomain.com
    DKIM was rejecting his email.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    While it might not offer the same level of protection for validating individual emails, you may find the Greylisting feature offers some protection from emails sent from non-legitimate mail servers. Per it's description:

    When enabled, the mail server will temporarily reject any email from a sender the server does not recognize. If the email is legitimate, the originating server will try again after a delay. After sufficient time has elapsed, the server will accept the email.

    It's documented at:

    Greylisting - Documentation - cPanel Documentation

    Thank you.
     
Loading...

Share This Page