You're Not Fully Authenticated DKIM issue

fullfatdesigns

Well-Known Member
Aug 1, 2014
72
11
8
cPanel Access Level
Root Administrator
Hi

I've got client who's emails we think are getting lost in peoples SPAM folder, so I asked her to send it to mail-tester.com to test it. It scored a 9/10 with the message;

You're not fully authenticated
We were not able to check your DKIM signature

So I added the following to domain zone;
_dmarc TXT and I thought (v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ri=86400), but just re-checking now, it just has the v=DMARC1 part)

After re-checking on mail-tester it scored 6.7/10, with the message;

You're not fully authenticated
Your message failed the DMARC verification

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

You are not allowed to send a message with this address

DMARC DNS entry found for the domain _dmarc.example.co.uk:

"v=DMARC1"


Verification details:

mail-tester.com; dkim=pass (2048-bit key; unprotected) header.d=example.co.uk [email protected] header.b=kywEEQrq; dkim-atps=neutral
mail-tester.com; dmarc=permerror header.from=example.co.uk
mail-tester.com; dkim=pass (2048-bit key; unprotected) header.d=example.co.uk [email protected] header.b=kywEEQrq; dkim-atps=neutral
From Domain: example.co.uk
DKIM Domain: example.co.uk


I noticed other TXT records where is speech marks, should I have entered;

"v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ri=86400"

Or something else? Or am I doing this incorrectly?

Regards
Wayne
 
Last edited by a moderator:

fullfatdesigns

Well-Known Member
Aug 1, 2014
72
11
8
cPanel Access Level
Root Administrator
Hi

Thanks for the reply. I resaved in the modify account section and re-added the original DKIM record in speech marks and on re-testing, the score was 9.7. I'm getting the message;
Code:
SpamAssassin thinks you can improve
-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Great! Your signature is valid
0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
Great! Your signature is valid and it's coming from your domain name
-0.001 HTML_MESSAGE HTML included in message
No worry, that's expected if you send HTML emails
-0.363 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
0.001 SPF_PASS SPF: sender matches SPF record
Great! Your SPF is valid
-0.01 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
I think if I get these final bits sorted I should get a 10/10. But I'm not sure what to change to achieve these. Does anyone have any suggestions?

Regards
Wayne
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Looking at the score report from mail-tester it doesn't appear any of the issues are related to DKIM:

The negative score here:

-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid This negative score will become positive if the signature is validated. See immediately below.
Is canceled out by the positives here as indicated in the message:
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Great! Your signature is valid 0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Great! Your signature is valid and it's coming from your domain name
The only negative you're getting is because of the following:

-0.001 HTML_MESSAGE HTML included in message No worry, that's expected if you send HTML emails -0.363 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.001 SPF_PASS SPF: sender matches SPF record Great! Your SPF is valid -0.01 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
 
  • Like
Reactions: linux4me2

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Hi @fullfatdesigns

You're right and this is because it appears that the rDNS is dynamic - an explanation of SpamAssassin's RDNS_DYNAMIC rule is here:

Rules/RDNS_DYNAMIC - Spamassassin Wiki

It is expecting a static allocation (meaning the IP doesn't change) - Your provider would most likely be the one that can address this.

Thanks!
 

Rich Banton

Member
Jun 7, 2019
5
1
3
Dartford
cPanel Access Level
Root Administrator
I'm having a similar issue show up on mail-tester, any ideas? I'm sending from Mailwhizz via elastic email, this error is costing me 3 points according to Mail-tester.

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

You are not allowed to send a message with this address

DMARC DNS entry found for the domain _dmarc.opportunities.domain.co.uk:
"v=DMARC1;p=quarantine;sp=reject;adkim=s;aspf=s;pct=100;fo=1;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]"

Verification details:
  • mail-tester.com; dkim=temperror (0-bit key; unprotected) header.d=opportunities.domain.co.uk [email protected] header.b=NnCHuer/; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=elasticemail.com header.i=[email protected] header.b=CRAw2JsM; dkim-atps=neutral
  • mail-tester.com; dmarc=fail header.from=opportunities.domain.co.uk
  • mail-tester.com; dkim=temperror (0-bit key; unprotected) header.d=opportunities.domain.co.uk [email protected] header.b=NnCHuer/; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=elasticemail.com [email protected] header.b=CRAw2JsM; dkim-atps=neutral
  • From Domain: opportunities.domain.co.uk
  • DKIM Domain: opportunities.domain.co.uk
Whats confusing is it has passed the DKIM Signature and the SPF record

I look forward to your suggestions.
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Does the domain opportunities.domain.co.uk have its own DKIM signature? Based on this output it doesn't seem to be seeing it:
Code:
mail-tester.com; dkim=temperror (0-bit key; unprotected) header.d=opportunities.domain.co.uk [email protected] header.b=NnCHuer/; dkim=fail reason="signature verification failed"
What's the output of the following? If you used the auto-generated DKIM from cPanel the selector should be default so you'd run:

Code:
dig txt default._domainkey.opportunities.domain.co.uk
 

Rich Banton

Member
Jun 7, 2019
5
1
3
Dartford
cPanel Access Level
Root Administrator
Yeah there is a default._domainkey.opportunities.domain.co.uk key for that domain it seems to be the same domain key for the parent domain. should they be set to the same as api.domainkey.opportunities.domain.co.uk supplied by elastic email? or it there another issue, we're missing?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Hello @Rich Banton


Based on their configuration and discussions in their forums I believe you'll need to add their DKIM to your domain's DNS

Some further detail on their configuration with DKIM and tracking/sending domains can be found here: What tracking and sending domains actually are? - MailWizz KB