Skip to main content

Error in DKIM core record

meeven
I was checking email delivery for a new account I had set up on a cPanel VPS and found that the outgoing email sent from an email account on the VPS and received at my Gmail GSuite account showed a DKIM fail in the headers - the email landed in my GSuite spam folder as the SPF record was in place. Checking the DKIM core at dkimcore.org, I get the following message: [QUOTE] "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArrtYHmsizA2 +MV0ZBc1ftJDP+Cl+3AAJx97vDOkFyHf1I3J3+g4r1OxdZXKXYCNYU2YG2PvLY9qXfuRts3nTO hVcLCc7maNrJduLNqdQxwJmLhTF4lnBwOoSJmNsRjTDTJBdRnYITJcfI88rpnnl/rje8bPnjSL EuwegLNAMCanVC3oJ6x68kQCxWvUiMGBOe" 072w5ZpfVqt8evZPKzMohsly5/ktRuJGyrGDdb IT/IKYTnKmBN/gJgBKa2FP00kyrMyauBocAMyCGiZOkzoL+SpiBN/4bifxU/T70XPWfs1xbkyM X9d+1PfAF0WOzrhiCKXUFDgF1DcrEqYN7izwQIDAQAB\; This is not a good DKIM key record. You should fix the errors shown in red. There is a parsing error at character 1 ('"') A public-key (p=) is required
The parsing error highlights the first quote of the record before the letter v. Also, it seems to me the record contain the public-key (p=), so it's not clear why the checker says it's not there. Finally, I have never understood why the DKIM keys generated in cPanel have a long string after the end quote - part in the above record that starts with 072 after the end quote and ends in QAB\;. Should I add this in the DNS record, or not? Any help would be appreciated very much.

Comments

12 comments

Date Votes
  • cPanelMichael
    Hello @meeven,
    I was checking email delivery for a new account I had set up on a cPanel VPS and found that the outgoing email sent from an email account on the VPS and received at my Gmail GSuite account showed a DKIM fail in the headers - the email landed in my GSuite spam folder as the SPF record was in place.

    Is email sent from your cPanel server relayed through another server?
    Checking the DKIM core at dkimcore.org, I get the following message:

    That appears to be a false positive. There's a thread on this topic, with a user-submitted workaround if you want to pass the test on that website, at:
    Finally, I have never understood why the DKIM keys generated in cPanel have a long string after the end quote - part in the above record that starts with 072 after the end quote and ends in QAB\;. Should I add this in the DNS record, or not?

    We split the DKIM record into 255-byte chunks by design. RFC 1035 specifies that character strings must be split up into chunks of 255 or fewer octets. This can lead to issues when manually pasting the DKIM record into a remote DNS server's interface. Here are a couple of threads you may find helpful to get the record added properly on a remote DNS server:     Thank you.
    0
  • meeven
    [QUOTE]
    @
    0
  • cPanelMichael
    About the DKIM record generated by cPanel, after checking the two links you mentioned, here's what's not clear to me, yet. Sorry if I sound dense, but I hope you can clear these up for me:
    • Should I remove the second double quote from the middle of the key and add it to the end, after the \;?
    • Should I remove the space after the second double quote from the middle of the key?
    • Should I remove the trailing \ and semicolon at the end of the key?

    Hello @meeven, You shouldn't have to alter the DKIM record at all if the DNS for the domain is hosted by the cPanel server. The instructions on how to alter the record are only applicable if the domain name's DNS records are hosted externally and the remote DNS server does not accept the record as-is. Can you confirm if that's the case, and if so, let us know where the domain's DNS is hosted? Thank you.
    0
  • meeven
    Hello @meeven, You shouldn't have to alter the DKIM record at all if the DNS for the domain is hosted by the cPanel server. The instructions on how to alter the record are only applicable if the domain name's DNS records are hosted externally and the remote DNS server does not accept the record as-is. Can you confirm if that's the case, and if so, let us know where the domain's DNS is hosted? Thank you.

    Hello @cPanelMichael, the domain's DNS is hosted at Linode; some other domains have their DNS at Route53 and EasyDNS. Thanks to your links, I did a bit of testing and was able to have the DKIM keys authenticate successfully. To anyone else who may come across this thread, here's a summary of DKIM config on cPanel:
    • If your domain's DNS is hosted by the cPanel server, there's pretty much nothing to do. You are set if you see the DKIM check pass.
    • If your domain's DNS is hosted externally, here's what should be modified in the DKIM key generated by cPanel:
      • Remove the trailing back slash and semi-colon at the end of the key such that your key always ends with the letters QAB
      • Remove the end quote in the DKIM key generated by cPanel (occurs somewhere in the middle of the key)
      • Remove the the empty space between the end quote and the next letter
      • Copy the entire string, starting from v=DKIM and ending with QAB into the 'Value' field of the DNS TXT record. The 'Name' field of the DNS record should have 'default._domainkey' in it (without the single quotes, of course)
      • Depending upon your external DNS provider, you may need to wrap the DKIM key string within double quotes, just like cPanel or exclude the double quotes - Linode DNS manager, for example, doesn't need the double quotes and adds it behind the scene.
    0
  • cPanelMichael
    Hello @meeven, I'm glad to see you were able to get it sorted out. Thank you for sharing the outcome and workaround instructions.
    0
  • jcalvert
    I also encountered this bug with how WHM displays the domain key TXT record in the DNS zone. In my case, I had to copy the contents of that record so that my client could paste it into his Cloudflare account's DNS zone. This approach didn't work at all, because the contents of the domain key TXT record shown by WHM are totally incorrect. My solution was to find the directory where the domain keys are stored in CentOS and grab the public key from there. Then I pasted this into the "p=" part of the TXT record, to be used at Cloudflare. Once I did this, a test email to a Gmail account immediately reported that DKIM was correct. Here is the directory where the domain keys are stored: /var/cpanel/domain_keys.
    0
  • cPanelMichael
    Hello @jcalvert, The TXT record for DKIM will look different in the DNS zone because we split the record into 255-byte chunks due to RFC 1035 specifying that character strings must be split up into chunks of 255 or fewer octets. Thus, let's say the public key found in /var/cpanel/domain_keys/public/domain.tld looks like this: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYrRWuN6UJMtiML7RLYP LjDY4j/iXrU1h++0/C2k+y40aXd3nAQmL/DRDBgeHUQjbfd0eycUfO9AlrMFMA+4 P6teINmef1Vtm+LVixJ2RfY1KVt2j5+dH1LRVhGzI+ieZukLc3AT7ASXK/XP29Wg zgBgov2C3UHHpmtVbwXj+JSkbw+zBCUFAhAQSY+zPN5I1o4d5tiBqPb/1z8uxWDQ xrspZYOv5nWsCY3NidWCMoys9I8bND6W5731mTWc/m4/ttMCSqcdiFxtid/tk/5g zX7Z5s8ijcejbt3YqKLA0wvYPIFb29wkL8CSLOtp2gHo9QB2+NZ/o8i5Dp/Zd8t3 mwIDAQAB -----END PUBLIC KEY-----
    The TXT entry in the DNS zone on the cPanel server (corresponding to what appears in the cPanel and WHM UI) will look like this: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYrRWuN6UJMtiML7RLYPLjDY4j/iXrU1h++0/C2k+y40aXd3nAQmL/DRDBgeHUQjbfd0eycUfO9AlrMFMA+4P6teINmef1Vtm+LVixJ2RfY1KVt2j5+dH1LRVhGzI+ieZukLc3AT7ASXK/XP29WgzgBgov2C3UHHpmtVbwXj+JSkbw+zBCUFAhAQSY+zPN5I1" o4d5tiBqPb/1z8uxWDQxrspZYOv5nWsCY3NidWCMoys9I8bND6W5731mTWc/m4/ttMCSqcdiFxtid/tk/5gzX7Z5s8ijcejbt3YqKLA0wvYPIFb29wkL8CSLOtp2gHo9QB2+NZ/o8i5Dp/Zd8t3mwIDAQAB\;
    Often times a third-party DNS provider will automatically split the TXT record using their own internal functionality, and thus they require you to enter the record in it's raw form (so their system can split the record up for you). Since cPanel & WHM is providing you with the record that's already split up, their interface won't accept it. The method you used to obtain the key in it's raw form from /var/cpanel/domain_keys/public/domain.tld for use in the TXT record is a valid workaround, and matches what CloudFlare suggests at:
    0
  • jcalvert
    @cPanelMichael, thanks. The problem seems to be that CloudFlare doesn't allow the split form of the record on input. I would say that a good UI would allow either the split form or the unsplit form. WHM does it right.
    0
  • Ari Saastamoinen

    This issue still exists, and long DKIM entries may still be broken. The problem is not related to transferring the zone file to, for example, Cloudflare — the entries may already be broken in cPanel’s own /var/named/* files.

    The issue is that long TXT entries are split according to the specification, but for some reason the later part(s) do not get enclosed in quotation marks, even though the first part does.

    This does not occur for all domains. On the system I investigated, there are approximately 250 long DKIM entries across various domains, but only about 20% of them are broken.

     

    0
  • cPRex Jurassic Moderator

    Ari Saastamoinen - would you be able to submit a ticket from the server with this issue?  It seems odd to me that only a percentage of the zones would experience this issue, so it would be good to see both the working and non-working zones in action.

    0
  • Ari Saastamoinen

    I have analyzed the situation further, and it appears that the broken entries were last edited when the system was still running cPanel 110. All entries that have been edited in version 118 or later seem to be intact, so the issue itself has been fixed; however, zone files that were broken in the older version were not automatically corrected during the version upgrade.

    I could not quickly find any mention in the changelog indicating that this specific issue had been fixed in a prior release.

    Nowadays, the zone seems to self-correct if any modification is made to it.

    Is there a command-line method to force the system to update all zone files in the system (for example, by simply incrementing the serial)?

    0
  • cPRex Jurassic Moderator

    I'm not aware of any specific tool on our end to resolve that.  We do have a script outlined at https://support.cpanel.net/hc/en-us/articles/4413385053847-How-to-manually-update-a-DNS-Zone-serial-for-a-single-domain-or-for-all-domains that will let you do this with perl, though.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post