Is DKIM possible if I'm not running DNS locally?
Hi guys,
Things to keep in mind:
1. I'm not running a DNS server locally as I choose not to. I use my registrar's DNS management tool on their end to achieve my DNS requirements.
My question is when I add the TXT record into Namecheap's DNS tool, where do I find the DKIM Public Key on my server?
I looked in WHM's "Edit DNS Zone" area and used that (below) in a TXT record (default._domainkey) but I'm not sure whether that's correct/complete? The whole thing? or just up to a certain part?
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3y4yF9c3qwUj57rbFaEKpipd3ZmTjNg8oiVgFY7io2zxbfamzivfvoNMPQImjBjUpBmbb0IV9dTWe8ynZ9gymzJ9S6VGFcBGFdPB/On29zMkLesiyHnntWRg2HuyWLQ41NDl1qrYY7pF4veDoFDeeu50zwnNElCvg90Gx+TupmJerMIJz0s2Jx+IHQg" Y+1W13VzfAfDLFJNPPYJXv7TbY4+WXs1oEhzGAZPaaTIy6lYH38Hj/QQAt2Zq4pwyOhhCyUQWmqIb757CZSQiQx8qFugRMVpA1YGAAu5lHeQD7Jo1ju0FR7bJ7bJGRHHCCxzgj0UwYFtwBtL/lj2QIDAQAB\;
Please note that I have tried copy/pasting the whole lot into my TXT record but Namecheap cuts it off at the bolded character. I have no idea why it does though :/
-
Please note that I have tried copy/pasting the whole lot into my TXT record but Namecheap cuts it off at the bolded character. I have no idea why it does though :/
Hi Matt, This is actually known issue when attempting to add a DKIM TXT record generated through cPanel via NameCheap's DNS record editor. There's a thread on this topic that should help at: Generate 1024-bit DKIM keys Thanks!0 -
Thank you so much! That explains everything :) As you mentioned in that thread, you said cPanel updates overwrite the DKIM.pm file (understandably) but if I edit and generate a key does that key get overwritten also? Or on a cycle? (happy to manually update my DKIM keys periodically) 0 -
Disregard that last message as I used this post from that thread instead of the original poster's advice and I'm confident it has achieved what I needed :) But my query still stands around overwrites of keys; Do the keys at /var/cpanel/domain_keys/private/domain.tld get overwritten with each cPanel update, or periodically rotated by cPanel for security reasons? Just need to know if I have to keep up with those. 0 -
But my query still stands around overwrites of keys; Do the keys at /var/cpanel/domain_keys/private/domain.tld get overwritten with each cPanel update, or periodically rotated by cPanel for security reasons? Just need to know if I have to keep up with those.
The keys within the /var/cpanel/domain_keys/private/ directory are only overwritten if you disable and then re-enable DKIM on the cPanel account. They are otherwise left in their original state. Thank you.0 -
Fantastic. That's what I wanted to hear ^_^ Interestingly, I think part 2 of my issue is that my emails (sent from RoundCube webmail) don't appear to be "signed" so they don't pass DKIM tests on mail-tester.com, verifier.port25.com or dkimvalidator.com. There definitely doesn't appear to be a DKIM-Signature header in the mail I send anyway. Is there a way to determine whether they are being signed other than when sent to one of those sites? And additionally is there a way to determine whether the signature is valid? According to cPanel, under Email > Authentication, the status of DKIM is "Status: Enabled Active (DNS Check Passed)". Worth keeping in mind also is that emails from the server (such as cron emails or notifications from csf/lfd) also have no DKIM-Signature header if that helps. Any ideas where to start? 0 -
Interestingly, I think part 2 of my issue is that my emails (sent from RoundCube webmail) don't appear to be "signed" so they don't pass DKIM tests on mail-tester.com, verifier.port25.com or dkimvalidator.com. There definitely doesn't appear to be a DKIM-Signature header in the mail I send anyway.
Is your email routed through a smart host, or an email relay server (providers such as GoDaddy often do this)? You may also find a utility like this helpful when attempting to verify a DKIM record: DKIM Core Tools Thank you.0 -
Ah yes, the old "being with GoDaddy" being the probable cause haha. You're right actually, I am, and you appear to be spot-on about it being why, as I found another thread on here (OP was with GoDaddy) which helped me where to look. Thanks to your mentioning of the relay/smart host which GoDaddy does indeed use. I had to go into WHM > Exim Configuration Manager > Advanced Editor and I modified the ROUTERSTART section from remote_smtp to dkim_remote_smtp, as follows: send_to_smart_host: driver = manualroute route_list = !+local_domains dedrelay.secureserver.net transport = dkim_remote_smtp Note: I didn't add dedrelay.secureserver.net but it looks to be accurate, as per this knowledge article. So after changing the transport, my emails are now signed. They don't validate though, unfortunately. I'm still working on that part. Any ideas welcome! Bearing in mind that my private key in /var/cpanel/domain_keys/private/domain.tld is a 1024-bit key now (since NameCheap doesn't allow the default cPanel 2048-bit key). DKIM Information: DKIM Signature Message contains this DKIM Signature: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain.tld; s=default; h=Message-ID:Subject:To:From:Date: Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=9uhIFeBrS6ZyOuZeWQ8dcB3HjqIMY/dl0QF4u1Xj2Nc=; b=BvPOS+Ce3/hTdL3tjQ6e/b9lQ KB1eCK5RZXRIK1p+zSc0OqkfyHkSP9aUQptorGLT36r146b7C0sfUnQtlyE8Lr+/7GqHstdCOgpxJ NkPuOf6ZUkK4Po0t9IL8tZsiZ83RWpITdgfKApTw1upbviVVXJQ0QiuCZ2bBoTK89/ldU=; Signature Information: v= Version: 1 a= Algorithm: rsa-sha256 c= Method: relaxed/relaxed d= Domain: domain.tld s= Selector: default q= Protocol: dns/txt bh= 9uhIFeBrS6ZyOuZeWQ8dcB3HjqIMY/dl0QF4u1Xj2Nc= h= Signed Headers: Message-ID:Subject:To:From:Date: Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive b= Data: BvPOS+Ce3/hTdL3tjQ6e/b9lQ KB1eCK5RZXRIK1p+zSc0OqkfyHkSP9aUQptorGLT36r146b7C0sfUnQtlyE8Lr+/7GqHstdCOgpxJ NkPuOf6ZUkK4Po0t9IL8tZsiZ83RWpITdgfKApTw1upbviVVXJQ0QiuCZ2bBoTK89/ldU= Public Key DNS Lookup Building DNS Query for default._domainkey.domain.tld Retrieved this publickey from DNS: Validating Signature result = invalid Details: public key: not available
Thanks very much in advance!0 -
So after changing the transport, my emails are now signed. They don't validate though, unfortunately. I'm still working on that part. result = invalid Details: public key: not available
Sorted! Thanks very much @cPanelMichael - very helpful as always :) In the past, for troubleshooting, I set my TXT record to default._domainkey.domain.tld which obviously isn't what it looks for. I removed the domain.tld so it's just default._domainkey as the host in the record and now the DKIM shows as pass.Public Key DNS Lookup Building DNS Query for default._domainkey.domain.tld Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRPHwLRb6jdxSFbTMWX8UsNH8CM4yrB0p5A3YH4qNLh79TmLhnUdc6Glnh6Mb3Xyj/5/VFBUexmObObPV9CshvtmTskTrlQX0/f6NxGvc700wj0vLtIrecuNesHrvdM9JEe5dkx3SfkKt8eIbbyP+LegKypeOxbjJefDhD0oEBtQIDAQAB Validating Signature result = pass0 -
In the past, for troubleshooting, I set my TXT record to default._domainkey.domain.tld which obviously isn't what it looks for. I removed the domain.tld so it's just default._domainkey as the host in the record and now the DKIM shows as pass.
Hi Matt, I'm happy to see it's all sorted! Thanks for sharing the solution.0
Please sign in to leave a comment.
Comments
9 comments