Outlook.com mail gets rejected due DKIM check

[rhm.geerts]

Hello.

Since recently (don't know exactly when) it's not possible to receive emails from outlook.com so also not from office 365 customers.
The cause is that the pub-key is not available:

rejected DKIM : DKIM: encountered the following problem validating outlook.com: pubkey_unavailable

We also have this on our DA servers with almost the same notice:

(EUR01-DB5-obe.outbound.protection.outlook.com) [40.92.64.40] Warning: DKIM: Invalid. reason='pubkey_unavailable'.  May be a temporary problem.

However, there the mails are not rejected.

We do have this setting enabled.

Reject mail at SMTP time if the sender fails DKIM key validation.

Is there a way to keep this enabled, but don't reject mail only when pubkey is not available?

 

[cPanelMichael]

Hello @rhm.geerts,

Can you open a support ticket so we can take a closer look at an affected system? You can post the ticket number here and we'll link this thread to it.

Thank you.

 

[rhm.geerts]

I'll have a try.
We have a cpanel license via Hetzner datacenter, so I'm not exactly sure how to do this, I'll try to look it up, create a ticket and mention it here.

 

[rhm.geerts]

Hello.
I found out.
The support ticket number is: 12225007

Regards,
Richard.

 

[cPanelMichael]

Hello @rhm.geerts,

Thank you for opening the support ticket.

To update, here's a summary of the workaround provided by the Technical Analyst assigned to the ticket:

It appears that Outlook.com does not publish a DKIM DNS record:

========================================
$ dig default._domainkey.outlook.com TXT +short
$
========================================

It is likely that the body of messages sent via Outlook.com are signed using DKIM, but without the DNS record, it will not be possible to look up the public key. Reviewing online resources, I found that Gmail messages likely suffer the same issue:

Accept or not to accept DKIM signed emails on my smtp server which source DNS don't has signature

I would suggest you add outlook.com to the "Only-verify-recipient" access list in the Exim Configuration Manager - Basic Editor. You can read more about this option here:

Exim Configuration Manager - Basic Editor - Version 78 Documentation - cPanel Documentation

Additionally, an issue where custom changes made through WHM >> Exim Configuration Manager >> Advanced Editor conflict with how the option is saved in WHM >> Exim Configuration Manager >> Basic Editor was also discovered. This particular issue is discussed on the following thread:

In Progress - [CPANEL-17032] Exim Configuration Manager - conflicting values in Basic and Advanced Editor

Thank you.

 

[rhm.geerts]

Yes thank you.

Unfortunately this workaround for the not published dns record does not work:

I would suggest you add outlook.com to the "Only-verify-recipient" access list in the Exim Configuration Manager - Basic Editor.

As you can read from the rest of the ticket, this option should contain hostnames, not domain names and is not working with domain names like outlook.com for example. Next to that, there are others which also have the same issue. Big ones like Gmail also is not having the dns entry needed.
It's very odd that a company like Microsoft which sets all kinds of rules to be able to send mail to their servers, do not obide their own rules of perfectness and do not publish the DKIM dns record.

So at this moment we decided to disable the setting in total, which at first did not work, because of the conflicting values issue.
But this was perfectly discovered and solved by Samual which excellently helped us.