The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trouble setting up DKIM

Discussion in 'E-mail Discussions' started by Spork Schivago, Jun 5, 2017.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm having some trouble setting up DKIM for outgoing e-mails. I have proxy subdomains disabled and I have manually created some subdomains. One of these subdomains is webmail.example.com. I have my hostname configured as franklin.example.com. Here's a snippet of my DNS record:

    Code:
    example.com.    14400    IN    MX        0              webmail.example.com.
    webmail         14400    IN    A         <IPv4 address>
    webmail         14400    IN    AAAA      <IPv6 address>
    franklin        14400    IN    A         <IPv4 address>
    franklin        14400    IN    AAAA      <IPv6 address>
    
    I can post the whole DNS zone if needed, but I think those are the important ones.

    I have a reverse DNS pointer recorder setup through my hosting provider, which I set to webmail.example.com

    In cPanel, under E-Mail >> Authentication, I have DKIM enabled and SPF enabled. I've tried disabling both and re-enabling both, but for DKIM, the e-mail tester I'm using says the DKIM signature failed verification. I believe I've got something configured incorrectly here, but I'm not sure what.

    This is my raw SPF record:
    Code:
    v=spf1 +a +mx +ip4:<IPv4 address> +a:franklin.example.com +ip6:<IPv6 address> ~all
    
    I believe the SPF record is correct. I'm not certain if I need franklin.example.com there, but I know my hostname sends me emails sometimes (CSF, upcp, etc), so I figured it was necessary.

    I don't know if this matters, but I use PowerDNS for my DNS server and have DNSSEC configured and enabled.

    This is what the e-mail tester I'm using says:
    Code:
    ...
    <~~ 221 ts4.checktls.com closing connection
    SPF results: code="pass", local="example.com: <IPv4 address> is authorized to use 'user@example.com' in 'mfrom' identity (mechanism 'a' matched)"
    DKIM verify: "fail (bad RSA signature)", signature="@example.com" result="fail (bad RSA signature)"
    
    Any help would be greatly appreciated.
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I believe I fixed the issue. I didn't realize I had to set the authoritative nameservers in WHM >> IP Functions >> Configure Remote Service IPs.

    I used nslookup -type=A example.com to get an IP address of some authoritative nameserver, then I ran nslookup -type=SOA <ip address of the authoritative one> to see that there's a ns1.linode.com, ns2.linode.com, ns3.linode.com, ns4.linode.com, ns5.linode.com.

    After that, I just ping'ed and ping6'ed them to get their IP addresses. I hope they don't change overtime or anything.

    Afterwards, I went back to // email / test From: and tried the test again. This time, it shows that DKIM is setup properly.

    And cPanel didn't give the warning this time when I enabled DKIM.
     
    #2 Spork Schivago, Jun 5, 2017
    Last edited: Jun 5, 2017
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,297
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see you were able to address the issue. Thank you for updating us with the outcome.
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    If I hadn't tried disabling and reenabling DKIM, I would have totally forgotten about the message about the nameservers. Once I googled the message, I saw people that have similar trouble like me always seem to be in a similar situation, where they just never properly configured the IP addresses of the remote nameservers.

    Any way to get cPanel to link to a document that says that or to maybe include a help link that suggests the "fix" whenever someone is setting up DKIM / SPF but cPanel detects a non-authoritative nameserver?

    Also, I set up DMARC by creating a TXT DNS resource record like this:
    Code:
    "v=DMARC1; p=quarantine; aspf=r; fo=1; rf=afrf; rua=postmaster@example.com; ruf=postmaster@example.com;"
    
    I read up on DMARC here:
    HOWTO - Define a DMARC Record

    It shows the various tags and values that I can use. My understanding is with p=quarantine field, e-mails that fail the DKIM / SPF will still go through, but be marked as SPAM, instead of getting rejected. The fo=1 means if either SPF or DKIM or both fail, quarantine them. fo=0 would mean both have to fail. The rf=afrf means to send the reports in the Abuse Report format, which is defined by RFC 5965. The reports get sent to postmaster@example.com.

    I couldn't find a place in cPanel / WHM to have the system configure DMARC automatically. Does cPanel not have an option for DMARC yet?

    Thanks!!!!
     
    #4 Spork Schivago, Jun 7, 2017
    Last edited: Jun 7, 2017
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,629
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    in your cPanel > Domains > Zone Editor, Manage, find the Add Record button, on it's menu, select Add DMARC Record.
     
    Spork Schivago likes this.
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Thank you.

    I had already added it and got it working using the zone editor in WHM, but I decided to delete the resource record and do it the way you described. That's a nice interface! Most of the stuff I do is through WHM and not cPanel. I don't play around in there much. I figured it'd be in the WHM Zone Editor, but I guess it makes sense to keep it in cPanel, so other users who have cPanel accounts on your server can create their own DMARC records.
     
    kaili1986 and Infopro like this.
Loading...

Share This Page