Dkim error reported, generated the key twice.. still wrong.

tamalero

December 28, 2015 12:59

Hello! I have been using cPanel for quite a bit, and this error of Dkim baffles me. Dkim used to work perfectly but then we switched servers and moved the cpanel account. Then out of nowhere, I got an "Email rejected, incorrect Dkim signature". I decided to check out and the cpanel account was using the old dkim keys. So I disabled dkim and then reenabled to create a new code. Then uploaded the new dkim signature code into my Domain controller (godaddy to peer1). Now I'm getting a dkim "temperror". Heres the Verifier response:

This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com.  The service allows email senders to perform
a simple check of various sender authentication mechanisms.  It is provided
free of charge, in the hope that it is useful to the email community.  While
it is not officially supported, we welcome any feedback you may have at
.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         temperror
Sender-ID check:    pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  XXXXXXXXX.com
Source IP:      216.152.128.171
mail-from:      cesar@XXXXXXXXX.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mailfrom=cesar@XXXXXXXXX.com
DNS record(s):
    XXXXXXXXX.com. SPF (no records)
    XXXXXXXXX.com. 86400 IN TXT "google-site-verification=ZoyTQz0UleOZszknJwlkQI8e-Dp0qGtbag9k5VS0jrg"
    XXXXXXXXX.com. 86400 IN TXT "v=spf1 +a +mx +ip4:XXXXXXXXX+ip4:XXXXXXXXX -all"
    XXXXXXXXX.com. 86400 IN A XXXXXXXXX

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=cesar@XXXXXXXXX.com
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         temperror (error retrieving key record: IOException, status = StatusDnsQueryFailed)
ID(s) verified:
Canonicalized Headers:
    content-transfer-encoding:8bit'0D''0A'
    content-type:text/plain;'20'charset=utf-8;'20'format=flowed'0D''0A'
    mime-version:1.0'0D''0A'
    date:Mon,'20'28'20'Dec'20'2015'20'12:12:05'20'-0600'0D''0A'
    message-id:<56817B75.9020203@XXXXXXXXX.com>'0D''0A'
    subject:test'0D''0A'
    from:Cesar'20''0D''0A'
    to:check-auth2@verifier.port25.com'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=XXXXXXXXX.com;'20's=default;'20'h=Content-Transfer-Encoding:Content-Type:'20'MIME-Version:Date:Message-ID:Subject:From:To;'20'bh=GFKB/oeqA+OLVJA1riRaud7TaBuXL8wGRC4OEmq3HBI=;'20'b=;

Canonicalized Body:
    '0D''0A'
    --'0D''0A'
    C'C3''A9'sar'20'R.'0D''0A'
    IT'20'-'20'XXXXXXXXX'0D''0A'
  

DNS record(s):
    default._domainkey.XXXXXXXXX.com. TXT (StatusDnsQueryFailed)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: header.From=cesar@XXXXXXXXX.com
DNS record(s):
    XXXXXXXXX.com. SPF (no records)
    XXXXXXXXX.com. 86400 IN TXT "google-site-verification=ZoyTQz0UleOZszknJwlkQI8e-Dp0qGtbag9k5VS0jrg"
    XXXXXXXXX.com. 86400 IN TXT "v=spf1 +a +mx +ip4:XXXXXXXXX +ip4:XXXXXXXXX -all"
    XXXXXXXXX.com. 86400 IN A 216.152.128.171

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)

Result:         ham  (-1.7 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
-0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
0.1 FROM_12LTRDOM          From a 12-letter domain

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.


==========================================================
Original Email
==========================================================

Return-Path: 
Received: from XXXXXXXXX.com (216.152.128.171) by verifier.port25.com id hg5tn220i3gf for ; Mon, 28 Dec 2015 13:12:01 -0500 (envelope-from )
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=cesar@XXXXXXXXX.com
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=cesar@XXXXXXXXX.com
Authentication-Results: verifier.port25.com; dkim=temperror (error retrieving key record: IOException, status = StatusDnsQueryFailed)
Authentication-Results: verifier.port25.com; sender-id=pass header.From=cesar@XXXXXXXXX.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=XXXXXXXXX.com; s=default; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Date:Message-ID:Subject:From:To;
    bh=GFKB/oeqA+OLVJA1riRaud7TaBuXL8wGRC4OEmq3HBI=; b=v8I5DQgmM6eSstsdzESp7jft1T
    tVGtSNpdd3YROHIG/LnGll4EFn5U4DnaeEt2MvWSrk7eQSAiLINwgSam/ytksoDgF0aXpiyfdZR8b
    BUP5TJJqLCFvvGcojZUO6nAK59gOvdQEzbeXuLZQ3JwnaZv9IKbGRuXOzEw/kZQdK/j3KH4NtBrxr
    3KYzOLGOh8KdYKu/15wiSXSHgHVgpq/Jjafn/Pi6Fyjnk5O9QP85MI/5jd/zk+tc+PMujEJ89gzzw
    NqVj8Rmu3b2nV2+1t0C7dtRAplRWWcbjJqwB+WWZUD82YrcyyY3D1FPr2QllI/et3d7vokiIuHo9/
    UZNWuPKw==;
Received: from 187-254-20-214-cable.cybercable.net.mx ([187.254.20.214]:10915 helo=[192.168.1.3])
    by main3.XXXXXXXXX.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
    (Exim 4.86)
    (envelope-from )
    id 1aDcH1-0003J5-Ol
    for check-auth2@verifier.port25.com; Mon, 28 Dec 2015 12:11:59 -0600
To: check-auth2@verifier.port25.com
From: Cesar 
Subject: test
Message-ID: <56817B75.9020203@XXXXXXXXX.com>
Date: Mon, 28 Dec 2015 12:12:05 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101
Thunderbird/38.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - main3.XXXXXXXXX.com
X-AntiAbuse: Original Domain - verifier.port25.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - XXXXXXXXX.com
X-Get-Message-Sender-Via: main3.XXXXXXXXX.com: authenticated_id: cesar@XXXXXXXXX.com
X-Authenticated-Sender: main3.XXXXXXXXX.com: cesar@XXXXXXXXX.com
X-Source:
X-Source-Args:
X-Source-Dir:

Any suggestions? Is there a proper way to test if the server and the NS controller are actually synced and giving the proper information on both fronts?

Comments

12 comments

cPanelMichael

December 28, 2015 19:47
Hello :) Are you receiving a pass/fail for DKIM on other test utilities? You may also find this thread helpful: DKIM key split over several records not working Thank you.
0
tamalero

December 29, 2015 21:55
Hello :) Are you receiving a pass/fail for DKIM on other test utilities? You may also find this thread helpful: DKIM key split over several records not working Thank you.

hi Michael, sadly, that address you gave me confused me even more than it helped me. I have a third party NS system (peer1.net located in ns1.peer1.net and ns2.peer1.net) But I'm confused about the "splitting the dkim code". I tried using the "dkim recipe with 3rd party external dns" thread.. and it made me get even more confused. First they talk about the "key", then they talk about the "selector", then they talk about the "public key". Can you shed some light on this? the RAW Dkim code as it appears in the local DNS resolver in WHM is:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Btz0SbbpOqslwlPyjeX8XVeURSeYlpuc3BU5J+cTPHxq8rehE1bJx5Nu3i2jFTHPUooqGJoolW3nzj/eW37Dr9Yn66QkZfXoKCrMXSfeVIKZpi2mzOOQwApD84PKwuHUWyLdA2Uq9O6e4thO9WqEb6Wdf8sDiUpE+/cUNc+F2kcmj3Tx6RuRJyJuBOQsjen7" pPSxLfXj1XGHIBOvKpCZDpPs7XTeOnqc76HXAwf+RYkfeQ4dCDc32TQVhgESxONq8G+bJ/jx8tuXKnfwMlxRdiZuYnL0JUyeZEnCVZUT4cuSA3CE1x+dClp6mqQhAsLCwoh23c/Byxnmn44jTb1QQIDAQAB\;
in cpanel:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Btz0SbbpOqslwlPyjeX8XVeURSeYlpuc3BU5J+cTPHxq8rehE1bJx5Nu3i2jFTHPUooqGJoolW3nzj/eW37Dr9Yn66QkZfXoKCrMXSfeVIKZpi2mzOOQwApD84PKwuHUWyLdA2Uq9O6e4thO9WqEb6Wdf8sDiUpE+/cUNc+F2kcmj3Tx6RuRJyJuBOQsjen7" pPSxLfXj1XGHIBOvKpCZDpPs7XTeOnqc76HXAwf+RYkfeQ4dCDc32TQVhgESxONq8G+bJ/jx8tuXKnfwMlxRdiZuYnL0JUyeZEnCVZUT4cuSA3CE1x+dClp6mqQhAsLCwoh23c/Byxnmn44jTb1QQIDAQAB\;
What is the locator? what is the real "key" vs the "public key" ? Note that my third party dns might eat some keys (like consecutive " " keys) but does not multisplit like the error samples. *edit* using the tool on Check a DKIM Core Key the key will always fail, claiming there is a "parsing error on line 415" on the key that cpanel gives on the respective account (on default)
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv+iBU2F/eHRvMVbFRzL1E74b/1VmjChWkpBEQu2ECVKjrdKESdY09bSFidDJwk4mAI6aCQuFusNTnXM/MChh/ZlKLbuga6PcVmRJrhTWfj429dFRIHdWXKc35Qt3N15zCn+Mj7ZTSWtYCl4IA2r7wkhCKjbkGhCo3YUMXRn5O+zyJ/dkJrFUx12GJWmT1Ls1s" xvth1PyZJHW0BWCPEaNdP9AaKD9poHlwBvHtjKN7/qxQAaDK0zP0ftB6aK1K+l6BmTOdPeF/3D7iQQZb2jZylONDoV/srQNRjUE7tjmZNbUtw6dByylmes6yJ8WeQG+JbxWIUmgcWuaW+QShs4C4QIDAQAB\;
and on the bottom it says "The p= field must be base64 encoded" this is after removing the " on the 1st word.
0
tamalero

January 12, 2016 19:07
Hi Michael, Is there a way to know if the Key is 1024 bits or higher? Because cPanel now doesnt say anything about dkim. It just says that everything is correct and enabled. My DNS server manager told me that they do not support keys higher than 1024. Also, it seems that the server is not generating valid DKIM keys. I have regenerated them again and again and they are always invalid in the dkim checker. the same error of :
The p= field must be base64 encoded
Note that I have tried removing the spaces, the " 's the dashes, everything.. and still errors.
0
johanan

January 31, 2016 04:52
I am having the exact problem with my CPANEL DKIM, I'm trying to add the TXT record into my DNSMADEEASY control panel, it wont let me. I tried removing spaces, ", and no luck. Can anyone please help us out. I searched everywhere and no-one knows the answer. I was able to create a 1024 bit key and it worked, but CPANEL defaults to 2048 bit.
0
tamalero

January 31, 2016 08:08
I am having the exact problem with my CPANEL DKIM, I'm trying to add the TXT record into my DNSMADEEASY control panel, it wont let me. I tried removing spaces, ", and no luck. Can anyone please help us out. I searched everywhere and no-one knows the answer. I was able to create a 1024 bit key and it worked, but CPANEL defaults to 2048 bit.

Seems many third party name servers do not support the 2048 keys. My provider also says that 1024 bit keys is the most they can handle right now. And they have "no idea" how to split the 2048 bit key correctly.. yet.. Wishing they could let you change to 1024 keys in cpanel using a toggle or something.
0
VNET a.s.

February 03, 2016 13:40
Hi all, you can split it in several ways. this is what i get from cpanel:
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ZAFu8bFt2PqrDQH4WhjwatQDYPSjSLMaIbqEK6RQGW61m0dZOIupyMym3VxPyGcP7yJhtW/flMRmkNWbLVpmI2M9fzkB951zbPAeuAdhUM8sRIUqQgz9FzCqtXVTgcnrdS4mfZub+KjOxwcErvTgQ80L9mOZsZs6Gvnt629Lb3ar4zsBu5ciToULF6HrWDpA" Uk/GH1TE5ERPEwj7sHMQeLunvsMJi9i4JDkZlGBzbq7YQpbiWl5sNJ5XJqVZYuro+flsTKqBzaK0ssyD4wvHiD4zRmztp3FDGq2upS/qjBxFMWdtPuPRRbUS/Kphiq083HIvcZkOIYejboZ5eUw2wIDAQAB\;
and this how it loks when I paste it to dns zone:
default._domainkey.example.sk. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ZAFu8bFt2PqrDQH4WhjwatQDYPSjSLMaIbqEK6RQGW61m0dZOIupyMym3VxPyGcP7yJhtW/flMRmkNWbLVpmI2M9fzkB951zbPAeuAdhUM8sRIUqQgz9FzCqtXVTgcnrdS4mfZub+KjOxwcErvTgQ80L9mOZsZs6Gvnt629Lb3ar4zsBu5ciToULF6HrWDpA" "Uk/GH1TE5ERPEwj7sHMQeLunvsMJi9i4JDkZlGBzbq7YQpbiWl5sNJ5XJqVZYuro+flsTKqBzaK0ssyD4wvHiD4zRmztp3FDGq2upS/qjBxFMWdtPuPRRbUS/Kphiq083HIvcZkOIYejboZ5eUw2wIDAQAB"
--beware I have added double quotes and removed last semicolon. Beware, if you use Webmin to edit your entries, be sure to edit the zone file and not the Text records, because it will show you only the first part of DKIM key. If you do it correctly, this tool at Tools - mail-tester.com shows you correct key length e.g.2048bits.
0
tamalero

February 04, 2016 03:35
Hi all, you can split it in several ways. this is what i get from cpanel:
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ZAFu8bFt2PqrDQH4WhjwatQDYPSjSLMaIbqEK6RQGW61m0dZOIupyMym3VxPyGcP7yJhtW/flMRmkNWbLVpmI2M9fzkB951zbPAeuAdhUM8sRIUqQgz9FzCqtXVTgcnrdS4mfZub+KjOxwcErvTgQ80L9mOZsZs6Gvnt629Lb3ar4zsBu5ciToULF6HrWDpA" Uk/GH1TE5ERPEwj7sHMQeLunvsMJi9i4JDkZlGBzbq7YQpbiWl5sNJ5XJqVZYuro+flsTKqBzaK0ssyD4wvHiD4zRmztp3FDGq2upS/qjBxFMWdtPuPRRbUS/Kphiq083HIvcZkOIYejboZ5eUw2wIDAQAB\;
and this how it loks when I paste it to dns zone:
default._domainkey.example.sk. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ZAFu8bFt2PqrDQH4WhjwatQDYPSjSLMaIbqEK6RQGW61m0dZOIupyMym3VxPyGcP7yJhtW/flMRmkNWbLVpmI2M9fzkB951zbPAeuAdhUM8sRIUqQgz9FzCqtXVTgcnrdS4mfZub+KjOxwcErvTgQ80L9mOZsZs6Gvnt629Lb3ar4zsBu5ciToULF6HrWDpA" "Uk/GH1TE5ERPEwj7sHMQeLunvsMJi9i4JDkZlGBzbq7YQpbiWl5sNJ5XJqVZYuro+flsTKqBzaK0ssyD4wvHiD4zRmztp3FDGq2upS/qjBxFMWdtPuPRRbUS/Kphiq083HIvcZkOIYejboZ5eUw2wIDAQAB"
--beware I have added double quotes and removed last semicolon. Beware, if you use Webmin to edit your entries, be sure to edit the zone file and not the Text records, because it will show you only the first part of DKIM key. If you do it correctly, this tool at Tools - mail-tester.com shows you correct key length e.g.2048bits.

so.. the semicolon needs to be removed?
0
tamalero

February 10, 2016 17:21
Still having problems.. Peer1, which is handled by COHEN pretty much gave no time nor any interest in changing their DNS infrastructure to support 2048 keys.. my emails are being bounced because of the invalid 2048 malformed key. Is there a way to switch to 1024bit keys? everywhere I try to search, it brings me back to older threads of 2014 of "updating" to 1024 and 2048. And not the opposite.
0
cPanelMichael

February 16, 2016 21:26
Have you tried splitting up the keys as documented in the earlier post? Dkim error reported, generated the key twice.. still wrong. Thank you.
0
tamalero

February 17, 2016 02:50
Have you tried splitting up the keys as documented in the earlier post? Dkim error reported, generated the key twice.. still wrong. Thank you.

I did try using the example, didnt work. I'm still unsure if I need to add the semicolon.
0
cPanelMichael

February 18, 2016 21:01
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.
0
tamalero

February 25, 2016 16:33
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.

Hi Michael, Already did, they told me to talk with my ISP provider.. who in turn gave me the finger. In short.. my hosting provider does not support the 2048 default sized keys. They refuse to give an ETA or even if they are going to upgrade some day to 2048 or higher. (they only accept 1028 keys). Just to say, I'm very disappointed of what has peer1 transformed after being bought by COGECO/COGENT.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?