multiple DKIM records
-
Exim on your cPanel server will only sign outgoing messages with the default DKIM key. I assume the user is wanting to send out mail from their domain name using a third party (i.e. not your server) SMTP server. And that SMTP service is wanting to sign the messages with a specific DKIM key. In that case the user needs to add the DKIM public key to the domain's DNS. The third party email service should provide this. And since you state that the customer is using third party DNS... I don't really know how you're involved in this. The DNS entry needs to be made at the DNS service that is handling DNS for the domain name. If that third-party DNS service doesn't have the public DKIM key for the domain that your server signs messages with, then all messages sent from your server by the domain name is going to be failing DKIM. 0 -
they want to use ours as well as another email server... so the other would be primary and then ours would be backup.. but they cant both have default for the dkim they need s1 and s2 or something similar... 0 -
Somebody's not understanding something correctly. And it may be me. End users don't have anything to do with DKIM signing messages. DKIM signing is done at the MTA level. It really doesn't matter what selector is used by the MTA, just so long that the appropriate public key is stored in the respective selector DNS record. The ONLY way that "default" would interfere here, is if an end user is wanting to send out mail through two SMTP servers and both MTAs are signing messages with a "default" selector. I can't imagine that happens very often though. You keep saying that the user has to use s1 and s2 selectors. Why? Your cPanel server is going to create a private DKIM key to sign messages with. Your cPanel server is going to add the appropriate [font="courier new">default._domainkey public key TXT record into the DNS server on the server or in the DNS cluster. When the user sends out mail through your cPanel server those messages are going to get signed with that private DKIM key and have the "default" selector added into the headers. A mail server that receives this messages is going to read the DKIM header in the message, find that it's using example.tld domain name and default selecotor, and compare the designated headers hashed with the public key in your [font="courier new">default._domainkey for example.tld with the hash presented in the headers. If they match, then DKIM is successful. If example.tld is not using DNS servers designated by the cPanel server - then that DNS server isn't going to automatically get the [font="courier new">default._domainkey public key TXT record. This would need to be added manually. Either way, the end user that sent the mail is oblivious to what selector is used when sending out mail through your server. The second SMTP server that they are sending messages out through will have to use a different selector than "default" (or a different domain name). If that service is designating s1 or s2 as their selector, that's fine and does not interfere at all with your cPanel DKIM. You just need to add the respective [font="courier new">s1._domainkey or [font="courier new">s2._domainkey public key into the domain's DNS - where ever that DNS may be being hosted (and if that is your responsibility). The only time this would create a collision issue, is if you are using two SMTP services that are signing messages with different keys but the same selector. You can't do that (I don't think) - https://datatracker.ietf.org/doc/html/rfc6376/#section-3.6.2.2 But as long as each different SMTP service the domain is using, is using different selectors - then it won't matter. You just have to have each corresponding public key for each selector in the domain's public DNS. -1 -
i know its 2 years ago, but find it important to point out that its both correct and incorrect in your statement:
>> The ONLY way that "default" would interfere here, is if an end user is wanting to send out mail >>through two SMTP servers and both MTAs are signing messages with a "default" selector
The above Is correct, but the following part is not correct, at least not for many of our users.
>> I can't imagine that happens very often though.This is happening very often in our cases, especially with companies which are using cloud services for i.e. their billing, or other type of services which also sent out emails to clients, and also under the same domainname. And if both use "default" (who's idea is using that? its the same as using example@example.com as their 'key-label' things go horribly wrong. In fact companies like google are making a big thing about this nowadays and to not get your messages in spam your SPF and DKIM simply need to be in order, DMARC configured. But instead cPanel still has no option after 8 years for resolving this issue.
In a short time we simply will not be able to sent mail to google and other large mail providers because they simply demand it to be setup correctly.
0 -
I'm confused about what you are wanting. But if you have a customer on your server who uses mail on your server and has the 'default._domainkey' DKIM record for their mail on your server, AND they are using a third party service like Sendgrid or Constant Contact, or some other place that provides CNAMEs for DKIM or TXT alternatives names s1._domainkey and s2._domainkey, you can still add them
For instance, SendGrid (third party mail sender) might say to add two CNAMES to support DKIM on their platform
s1._domainkey.customerdomain.com. IN CNAME s1._domainkey.u###.wl###.sendgrid.net.
s2._domainkey.customerdomain.com. IN CNAME s2._domainkey.u###.wl###.sendgrid.net.
The third-party provider may instead provide the actually public side of the DKIM key and want you to add TXT records instead.
s1._domainkey.customerdomain.com. IN TXT "dkim record from 3rd party provider here"
s2._domainkey.customerdomain.com. IN TXT "dkim record from 3rd party provider here"
I do this all the time. No problems at all.
It is UNlikely that any third-party email provider will require you to add another 'default._domainkey" entry to support their ability to send third-party email on behalf of your customer. Every common third-party mailer that I know of uses unique selector names that have nothing to do with default._domainkey.
And if I misunderstood what you are trying to do, the bottom line is that you can add as many DKIM-related records as you want in cPanel as long as long as you do not duplicate selectors. You just have to add them manually as TXT or CNAME records and not try to generate a second (or third) DKIM key.
0 -
Unfortunately that last part is not always correct, while most large email providers do that, we have some other party we must work with (in this case a supplier of a special tracking software for an indoor sports center) which provides yet another default label, and that is not going to fly. So either the mail from my customer directly goes wrong, or the automated mails with 'score reports' go wrong. Either way, its not good.
What i do not understand is why cpanel does keep pushing it customer base to use default.0 -
This does look like a long requested feature ( https://features.cpanel.net/topic/dkim-support-for-custom-selector ), but with 56 votes (making it the 120th most popular requested feature) and the amount of work which would need to be done (changes to cPanel UI, changes to WHM UI, changes to command line tools, changes to Exim) and all the associated QA bits (on something that if something goes wrong people are going to be very upset at mail bouncing!) - vs a relatively low usage/demand feature, I doubt it'll be coming "sometime soon".
A workaround would be to use a subdomain - so for rainboy if they are using the domain name example.com , perhaps setup the subdomain scores.example.com which will allow default._domainkey.scores.example.com .
0
Please sign in to leave a comment.
Comments
7 comments