DKIM signature is sometimes invalid
I am running currently stable cPanel v76+, with exim 4.91. DNS is hosted on Cloudflare and I can mostly successfully send a properly DKIM signed emails with a score 10/10 on mail-tester.com. But sometimes messages from the exact same email result in invalid DKIM signature according to Gmail and mail-tester.com and I cannot figure out why.
Manually comparing valid and invalid DKIM emai headers shows this. In the copy paste of headers I've hidden domain and is a correct one in headers received by Gmail or mail-tester.com.
Valid DKIM signature:
v=1;
a=rsa-sha256;
q=dns/txt;
c=relaxed/relaxed;
d=hidden.tld;
s=default;
h=List-Unsubscribe:Content-Type:MIME-Version:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=033XepfoqR3mPbERwV3ZBIINwWfhsAr6KS/n+cYEm/g=;
b=BvdRcfqrdKcX5/c10pr8IeLNvq7U1VL8w5qRaHfwsyFRS+bvfKI4tLa+tX+0kuMpChVK5I2k1vcfj2BZPu2JEnvPLF8SSShjmYeMvBY8wCQbTfNq5YMl9fFluxTt5bi2G2MhdeSRxsURQ/W6l+Rtbbp/unPOpoOfq+tCbUha4c0KdlpJO6ArhyffcuNiJlzy8iAZNDbo6x6gxG+olS4Gbh9x96HN8tlLJw3bhvg2l17pPXnLwQALN5z7R7fE0RVefjLOGw/11SYJBAxKyZfhbyNZXNE5vbb3dKv8JLU34dJSHsotq+2z5SvIuIJG3nXlGir60EU/7a9HGa40BMrRDQ==;
This key is obtained from dns query to validate the email as valid:
"v=DKIM1;
k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsBIqubAjZEgzpGB5qC9KZhhKpGbevYtQXI+0opmGaoiPYlRPGY4UEe157LJRWrv4RdO31jErFV7jmI6nkdk0dqFQM8gIoMFC8vmNNzp3vZrionAgsGMqS7EyuFxcWCqZPBLCigFb5CanPGgNou3qaqxsGHQnjem6HQTRzKa6Pu4M31uUJyrW5wJ7JTKxfNmzJ5a8r/rFH0IDfziJOzpihkO+97nSGcEIhtCFKsL2+TKDJGACN0c3YY4MOv3yazM/MlmTp/QVaA9xKBbOp5UueDKkTPB0nK/kldR4rx21vltX65yWaM2fbUwx7aPFCpM0pOQ7ah/g6N09mhalzY5UwIDAQAB;
"
Same message in only a short time difference validates as invalid DKIM signature:
v=1;
a=rsa-sha256;
q=dns/txt;
c=relaxed/relaxed;
d=hidden.tld;
s=default;
h=List-Unsubscribe:Content-Type:MIME-Version:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=Rds/2G37+Wp1V7pPNyNErWIEGvOJ9zA7A8qhkd4nCuE=;
b=E6x5aGoU0tlqnVw9W53yUQYOMDP9RDra9GhdVzyWBwM+1m5VNq12EdIzYaYexoTPryF26mNogfJ5cyYMTDZdoPbqNuhzGoVsHCdNncQhwbQHErf5d2/R0XbYbmWb+i9V6KI8qyo0Ps89pxuknJB1F9Ffpn63YhXo1errdZcgjvkC/umCUq57KSQTWD7CmCDwJ85HFBv9wXYpY1g+7H5Kk+H9zaJLxt7ofAfRRei7EpDEtwWyG8+YaxxVFWgDhjJ/o8IKwpuHybhHxxXhfNCUtz7i8Am2At/awVep4aN9g+nAgxNbIOFeCOQA5j+E3W3hS38/Ft8NwdU7JxIlYKTMXA==;
This key is obtained from dns query to validate the email as invalid:
"v=DKIM1;
k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsBIqubAjZEgzpGB5qC9KZhhKpGbevYtQXI+0opmGaoiPYlRPGY4UEe157LJRWrv4RdO31jErFV7jmI6nkdk0dqFQM8gIoMFC8vmNNzp3vZrionAgsGMqS7EyuFxcWCqZPBLCigFb5CanPGgNou3qaqxsGHQnjem6HQTRzKa6Pu4M31uUJyrW5wJ7JTKxfNmzJ5a8r/rFH0IDfziJOzpihkO+97nSGcEIhtCFKsL2+TKDJGACN0c3YY4MOv3yazM/MlmTp/QVaA9xKBbOp5UueDKkTPB0nK/kldR4rx21vltX65yWaM2fbUwx7aPFCpM0pOQ7ah/g6N09mhalzY5UwIDAQAB;
"
I have ruled out DNS server, as I have complete trust in Cloudflare, could it be exim's fault?
-
cPanel and Cloudflare have just one DKIM signature in their domain zone with key default._domainkey 0 -
Hello @Luka Mrovlje This doesn't actually sound possible from CloudFlare or cPanel, the DKIM signature sent is not changed, if the record is not modified and sometimes it is being accepted and sometimes not it sounds more like an issue on the recipient side especially if you've double checked the DKIM signature with mail tester and mxtoolbox 0
Please sign in to leave a comment.
Comments
2 comments