Outlook.com mail gets rejected due DKIM check

rhm.geerts

Well-Known Member
Jul 29, 2008
99
8
58
Maastricht
cPanel Access Level
Root Administrator
Hello.

Since recently (don't know exactly when) it's not possible to receive emails from outlook.com so also not from office 365 customers.
The cause is that the pub-key is not available:
Code:
rejected DKIM : DKIM: encountered the following problem validating outlook.com: pubkey_unavailable
We also have this on our DA servers with almost the same notice:
Code:
(EUR01-DB5-obe.outbound.protection.outlook.com) [40.92.64.40] Warning: DKIM: Invalid. reason='pubkey_unavailable'.  May be a temporary problem.
However, there the mails are not rejected.

We do have this setting enabled.
Reject mail at SMTP time if the sender fails DKIM key validation.
Is there a way to keep this enabled, but don't reject mail only when pubkey is not available?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @rhm.geerts,

Thank you for opening the support ticket.

To update, here's a summary of the workaround provided by the Technical Analyst assigned to the ticket:

It appears that Outlook.com does not publish a DKIM DNS record:

========================================
$ dig default._domainkey.outlook.com TXT +short
$
========================================

It is likely that the body of messages sent via Outlook.com are signed using DKIM, but without the DNS record, it will not be possible to look up the public key. Reviewing online resources, I found that Gmail messages likely suffer the same issue:

Accept or not to accept DKIM signed emails on my smtp server which source DNS don't has signature

I would suggest you add outlook.com to the "Only-verify-recipient" access list in the Exim Configuration Manager - Basic Editor. You can read more about this option here:

Exim Configuration Manager - Basic Editor - Version 78 Documentation - cPanel Documentation
Additionally, an issue where custom changes made through WHM >> Exim Configuration Manager >> Advanced Editor conflict with how the option is saved in WHM >> Exim Configuration Manager >> Basic Editor was also discovered. This particular issue is discussed on the following thread:

In Progress - [CPANEL-17032] Exim Configuration Manager - conflicting values in Basic and Advanced Editor

Thank you.
 

rhm.geerts

Well-Known Member
Jul 29, 2008
99
8
58
Maastricht
cPanel Access Level
Root Administrator
Yes thank you.

Unfortunately this workaround for the not published dns record does not work:
I would suggest you add outlook.com to the "Only-verify-recipient" access list in the Exim Configuration Manager - Basic Editor.
As you can read from the rest of the ticket, this option should contain hostnames, not domain names and is not working with domain names like outlook.com for example. Next to that, there are others which also have the same issue. Big ones like Gmail also is not having the dns entry needed.
It's very odd that a company like Microsoft which sets all kinds of rules to be able to send mail to their servers, do not obide their own rules of perfectness and do not publish the DKIM dns record. :)

So at this moment we decided to disable the setting in total, which at first did not work, because of the conflicting values issue.
But this was perfectly discovered and solved by Samual which excellently helped us.
 
  • Like
Reactions: cPanelMichael