Skip to main content

DKIM on DNSONLY

chagwood
Hello everyone, I have a webserver and two nameservers. The nameservers are running DNSONLY without any issues. I routinely get system emails from all my systems (CSF mostly) and whilst I have succeeded in configuring SPF and DKIM on my web server, my name servers are only passing with SPF. How can I get DKIM working on DNSONLY? I know it might seem weird that I'm worried over this, but I want to be sure that all my system emails don't have any reasons to get flagged as spam.

Comments

20 comments

Date Votes
  • cPanelLauren
    Hi @chagwood In order to implement DKIM on the dnsonly server, you'd need to do so manually. I believe the process on dnsonly would be something like the following but please keep in mind that this would be a non-standard customization. You'd need to first create a private/public key which you can do at sites like this : DKIM Core The private and public keys need to be added at: /var/cpanel/domain_keys/private /var/cpanel/domain_keys/public
    And the zone file needs to be updated for the domain.
    0
  • chagwood
    Hi @chagwood In order to implement DKIM on the dnsonly server, you'd need to do so manually. I believe the process on dnsonly would be something like the following but please keep in mind that this would be a non-standard customization. You'd need to first create a private/public key which you can do at sites like this :
    0
  • cPanelLauren
    Hi @chagwood It should be enough what do you get when you query for the DKIM: dig txt default._domainkey.domain.tld
    By default cPanel creates the dkim with the selector "default" it could be different if you generated yours manually
    0
  • chagwood
    Hi @chagwood It should be enough what do you get when you query for the DKIM: dig txt default._domainkey.domain.tld
    By default cPanel creates the dkim with the selector "default" it could be different if you generated yours manually

    I get this result: id 51250 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION default._domainkey.MYDOMAIN.TLD. IN TXT ;ANSWER default._domainkey.MYDOMAIN.TLD. 3599 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8BPIZxrzzDQXOshec+7cB2moN4Rtx0dJEoDxESuB68IQ6VsGqFOw3rNKcviatszMCdagcCnk0TVnNMySBC9DsoJabCkYVtyNV4Oosw53jp54eQxhnT/L3TXCTIhPPl2bR+5Hs6PLnFu2R2anQP5i9zGLPdAcKsd9OIe/2d8Kss/lDV5WyA7U8Vm+GhX+FJkBq" "GHCCoPgW74dgk5A24VCg+EAPMoNSmO1AHKGGojUpEmHRTdHzqfgyfaMPuTVD/2b6HhpxV3e4Jqcssv5N/Oc4B6/bf+nzghnat2nvOWYbjaNmeIuRi+1gDiSl0DL/vhhPmSZ7ybUBBFYKVzr6wDCxQIDAQAB;" ;AUTHORITY ;ADDITIONAL
    0
  • cPanelLauren
    Hi @chagwood You're getting back the public key for the dkim record. I wonder if the real issue is DKIM on the hostname and not specific to DKIM on dnsonly. When you receive mail from this host how are you able to tell it's not passing DKIM authentication? Are you checking the headers of the mail? If sending to a provider like Gmail they do a full check and provide a specific error for the dkim record in the header. Can you provide the error you're getting? Thanks!
    0
  • chagwood
    Hi @chagwood You're getting back the public key for the dkim record. I wonder if the real issue is DKIM on the hostname and not specific to DKIM on dnsonly. When you receive mail from this host how are you able to tell it's not passing DKIM authentication? Are you checking the headers of the mail? If sending to a provider like Gmail they do a full check and provide a specific error for the dkim record in the header. Can you provide the error you're getting? Thanks!

    Here is a screenshot from an e-mail I received from my webserver (DKIM works) - Removed - Here is a screenshot from an e-mail I received from one of my nameservers (DKIM isn't shown - nor explicitly says it failed) -Removed -
    0
  • cPanelLauren
    Hi @chagwood What version of cPanel are you running on the dnsonly server? There was previously an issue with DKIM on the hostname but that should have been resolved as of 74.0.9. The behavior as I understand it should be the same either way. I can definitely see in that second screenshot that the DKIM isn't checked. Though that isn't the full header. There should be a section in the header body that goes over the DKIM: ARC-Authentication-Results DKIM-Signature There's also this thread which discusses a workaround (pre-fix)
    0
  • chagwood
    Hi @chagwood What version of cPanel are you running on the dnsonly server? There was previously an issue with DKIM on the hostname but that should have been resolved as of 74.0.9. The behavior as I understand it should be the same either way. I can definitely see in that second screenshot that the DKIM isn't checked. Though that isn't the full header. There should be a section in the header body that goes over the DKIM: ARC-Authentication-Results DKIM-Signature There's also this thread which discusses a workaround (pre-fix)
    0
  • cPanelLauren
    Hi @chagwood That's interesting! I would anticipate some check of DKIM to be done since the record exists. Did you have a chance to check out the other thread I linked with the workaround to see if that will work for you? Thanks!
    0
  • chagwood
    Hi @chagwood That's interesting! I would anticipate some check of DKIM to be done since the record exists. Did you have a chance to check out the other thread I linked with the workaround to see if that will work for you? Thanks!

    Yes thanks for the link. I have previously used that to generate the public/private DKIM keys and I updated the zone to include the DNS record. But when I send a test email (using DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com for instance) it's not including a DKIM signature. So is there a mail setting somewhere on my DNSONLY box that I can check to ensure DKIM is being included?
    0
  • chagwood
    I finally figured it out. create the file /var/cpanel/users/nobody on your DNSONLY box insert this text into the file: DNS=hostname.domain.com
    In my case it was ns1.mydomain.com Then run this command: /usr/local/cpanel/bin/dkim_keys_install nobody
    This generates the public/private keys in /var/cpanel/domain_keys/ Now we have to edit the /etc/exim.conf file. Make sure you make a backup! Locate the two lines under the autoreply_dkim_lookuphost and dkim_lookuphost headings. Replace these lines: require_files = "+/var/cpanel/domain_keys/private/${lc::${perl{get_message_sender_domain}}}"
    with this line: require_files = "+/var/cpanel/domain_keys/private/${lc::${if eq {${perl{get_message_sender_domain}}}{-system-}{$sender_address_domain}{${perl{get_message_sender_domain}}}}}"
    Now find the dkim_remote_smtp heading and replace this line: dkim_domain = ${lc:${perl{get_message_sender_domain}}}
    with this line: dkim_domain = ${lc::${if eq {${perl{get_message_sender_domain}}}{-system-}{$sender_address_domain}{${perl{get_message_sender_domain}}}}}
    At this point we're done editing the exim configuration file. Save and close and then run the following command: /scripts/restartsrv_exim
    This will restart exim. Now we must create our DNS record. Run this command (make sure to change ns1.mydomain.com to the domain you set the "DNS=" value to in the /var/cpanel/users/nobody file) cat /var/cpanel/domain_keys/public/ns1.mydomain.com
    Copy all the text between the BEGIN PUBLIC KEY and END PUBLIC KEY lines Open notepad and create a record value that is formatted as such: "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY"
    Be sure to remove any line breaks or carriage returns. So mine for instance could look something like this: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9wEBAQEFAAOCAQ8AMIIBDgKCAQEA1CK6PUZ+dcOEatcr3N5SSPOUY5s+Y5Li9IZWpbjgH9SJuN2X23VLX0AJn6FQs/WHpVWF9LNLDduBMyFkyAoEffjcHdp2lTMAOZZTbgOxIFc6Sa/9WajLRHRPUGzN7QSubqEBMtqNz0CVWKJQOatonVa+Eh58eFLOq4yqQJPbCqRTff83rp1klqXPXrFYZPwHNUMrhRLShcfNsC3aS2xz5nbk0qUKP4LUDSvK0LEBoFlMSj5H1P1T+7qVKVONZZJjEIEQVwjFPzf6Abj2aiRVc3LKN12YG0/9HKOUejzSkRpeSE9lNJzq7iaOFgsYioP7jmYD2CVaDM7/7rwGLq9wcQIDAQAB"
    Now I go back to my main cPanel server and edit the zone file for ns1.mydomain.com Add a new TXT entry for the domain default._domainkey Then paste in the record value we created above. Now your nameserver emails should be properly signed with DKIM. I verified this by sending test e-mails using DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com TLDR: DNSONLY won't sign e-mails using DKIM unless you fix a few lines in exim.conf. The altered lines came from the exim.conf file from my main cPanel server that was correctly sending DKIM-signed emails.
    0
  • cPanelLauren
    Hi @chagwood This is fantastic thank you so much for the workaround for this. I know this is going to help others!
    0
  • ejsolutions
    Has this now been implemented/changed in later releases, or is it still a valid method?
    0
  • cPanelLauren
    As far as I know this is still valid - I believe there may be changes to this in the future but I'm not aware of any implemented thus far.
    0
  • Richard F

    Any advice for setting up DKIM on DNSONLY these days? The above steps do not work, as the exim configuration file is (understandably) different as years have passed.

    0
  • cPRex Jurassic Moderator

    I asked around and it appears there is not a supported way to get this working on modern systems.  I created case CPANEL-46064 for our developers to investigate this, as it would seem logical to me that if the DNSOnly server is sending the messages, there should be a way to configure them to be secure with DKIM.

    If I hear any updates from the team on this issue I'll be sure to post!

    1
  • Mr E

    ^ Thanks.

    DKIM is even more relevant than it was 5 years ago. ;)

     

    0
  • cPRex Jurassic Moderator

    For sure it is!

    0
  • Richard F

    cPRex Thank you for asking around and creating a case for this, it's much appreciated!

     

    0
  • cPRex Jurassic Moderator

    You're very welcome!

    1

Please sign in to leave a comment.

Didn't find what you were looking for?

New post