KIMKOLM

Member
Sep 29, 2020
8
0
1
Milford CT
cPanel Access Level
DataCenter Provider
I have a customer that first uses 3rd party DNS

wants to have 2 dkim records for their email with us, and their email with another company

within cpanel, the dkim record selector is default..

they want a config for s1 and s2 for their 2 records but within cpanel there is not a way to change it from default...

is there a way to manually change the record or allow users to change from default to s1?
 
Last edited by a moderator:

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
Exim on your cPanel server will only sign outgoing messages with the default DKIM key.

I assume the user is wanting to send out mail from their domain name using a third party (i.e. not your server) SMTP server. And that SMTP service is wanting to sign the messages with a specific DKIM key.

In that case the user needs to add the DKIM public key to the domain's DNS. The third party email service should provide this.

And since you state that the customer is using third party DNS... I don't really know how you're involved in this.

The DNS entry needs to be made at the DNS service that is handling DNS for the domain name.

If that third-party DNS service doesn't have the public DKIM key for the domain that your server signs messages with, then all messages sent from your server by the domain name is going to be failing DKIM.
 
  • Like
Reactions: cPRex

KIMKOLM

Member
Sep 29, 2020
8
0
1
Milford CT
cPanel Access Level
DataCenter Provider
they want to use ours as well as another email server...

so the other would be primary and then ours would be backup..

but they cant both have default for the dkim they need s1 and s2 or something similar...
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
Somebody's not understanding something correctly. And it may be me.

End users don't have anything to do with DKIM signing messages. DKIM signing is done at the MTA level.

It really doesn't matter what selector is used by the MTA, just so long that the appropriate public key is stored in the respective selector DNS record.

The ONLY way that "default" would interfere here, is if an end user is wanting to send out mail through two SMTP servers and both MTAs are signing messages with a "default" selector. I can't imagine that happens very often though.

You keep saying that the user has to use s1 and s2 selectors. Why?

Your cPanel server is going to create a private DKIM key to sign messages with.

Your cPanel server is going to add the appropriate default._domainkey public key TXT record into the DNS server on the server or in the DNS cluster.

When the user sends out mail through your cPanel server those messages are going to get signed with that private DKIM key and have the "default" selector added into the headers.

A mail server that receives this messages is going to read the DKIM header in the message, find that it's using example.tld domain name and default selecotor, and compare the designated headers hashed with the public key in your default._domainkey for example.tld with the hash presented in the headers. If they match, then DKIM is successful.

If example.tld is not using DNS servers designated by the cPanel server - then that DNS server isn't going to automatically get the default._domainkey public key TXT record. This would need to be added manually.

Either way, the end user that sent the mail is oblivious to what selector is used when sending out mail through your server.

The second SMTP server that they are sending messages out through will have to use a different selector than "default" (or a different domain name). If that service is designating s1 or s2 as their selector, that's fine and does not interfere at all with your cPanel DKIM.

You just need to add the respective s1._domainkey or s2._domainkey public key into the domain's DNS - where ever that DNS may be being hosted (and if that is your responsibility).

The only time this would create a collision issue, is if you are using two SMTP services that are signing messages with different keys but the same selector. You can't do that (I don't think) - https://datatracker.ietf.org/doc/html/rfc6376/#section-3.6.2.2

But as long as each different SMTP service the domain is using, is using different selectors - then it won't matter. You just have to have each corresponding public key for each selector in the domain's public DNS.