Trouble setting up DKIM
Hello,
I'm having some trouble setting up DKIM for outgoing e-mails. I have proxy subdomains disabled and I have manually created some subdomains. One of these subdomains is webmail.example.com. I have my hostname configured as franklin.example.com. Here's a snippet of my DNS record:
I can post the whole DNS zone if needed, but I think those are the important ones. I have a reverse DNS pointer recorder setup through my hosting provider, which I set to webmail.example.com In cPanel, under E-Mail >> Authentication, I have DKIM enabled and SPF enabled. I've tried disabling both and re-enabling both, but for DKIM, the e-mail tester I'm using says the DKIM signature failed verification. I believe I've got something configured incorrectly here, but I'm not sure what. This is my raw SPF record:
I believe the SPF record is correct. I'm not certain if I need franklin.example.com there, but I know my hostname sends me emails sometimes (CSF, upcp, etc), so I figured it was necessary. I don't know if this matters, but I use PowerDNS for my DNS server and have DNSSEC configured and enabled. This is what the e-mail tester I'm using says:
Any help would be greatly appreciated.
example.com. 14400 IN MX 0 webmail.example.com.
webmail 14400 IN A
webmail 14400 IN AAAA
franklin 14400 IN A
franklin 14400 IN AAAA
I can post the whole DNS zone if needed, but I think those are the important ones. I have a reverse DNS pointer recorder setup through my hosting provider, which I set to webmail.example.com In cPanel, under E-Mail >> Authentication, I have DKIM enabled and SPF enabled. I've tried disabling both and re-enabling both, but for DKIM, the e-mail tester I'm using says the DKIM signature failed verification. I believe I've got something configured incorrectly here, but I'm not sure what. This is my raw SPF record:
v=spf1 +a +mx +ip4: +a:franklin.example.com +ip6: ~all
I believe the SPF record is correct. I'm not certain if I need franklin.example.com there, but I know my hostname sends me emails sometimes (CSF, upcp, etc), so I figured it was necessary. I don't know if this matters, but I use PowerDNS for my DNS server and have DNSSEC configured and enabled. This is what the e-mail tester I'm using says:
...
<~~ 221 ts4.checktls.com closing connection
SPF results: code="pass", local="example.com: is authorized to use 'user@example.com' in 'mfrom' identity (mechanism 'a' matched)"
DKIM verify: "fail (bad RSA signature)", signature="@example.com" result="fail (bad RSA signature)"
Any help would be greatly appreciated.
-
I believe I fixed the issue. I didn't realize I had to set the authoritative nameservers in WHM >> IP Functions >> Configure Remote Service IPs. I used nslookup -type=A example.com to get an IP address of some authoritative nameserver, then I ran nslookup -type=SOA to see that there's a ns1.linode.com, ns2.linode.com, ns3.linode.com, ns4.linode.com, ns5.linode.com. After that, I just ping'ed and ping6'ed them to get their IP addresses. I hope they don't change overtime or anything. Afterwards, I went back to // email / test From: and tried the test again. This time, it shows that DKIM is setup properly. And cPanel didn't give the warning this time when I enabled DKIM. 0 -
Hello, I'm happy to see you were able to address the issue. Thank you for updating us with the outcome. 0 -
Hello, I'm happy to see you were able to address the issue. Thank you for updating us with the outcome.
If I hadn't tried disabling and reenabling DKIM, I would have totally forgotten about the message about the nameservers. Once I googled the message, I saw people that have similar trouble like me always seem to be in a similar situation, where they just never properly configured the IP addresses of the remote nameservers. Any way to get cPanel to link to a document that says that or to maybe include a help link that suggests the "fix" whenever someone is setting up DKIM / SPF but cPanel detects a non-authoritative nameserver? Also, I set up DMARC by creating a TXT DNS resource record like this:"v=DMARC1; p=quarantine; aspf=r; fo=1; rf=afrf; rua=postmaster@example.com; ruf=postmaster@example.com;"
I read up on DMARC here: HOWTO - Define a DMARC Record It shows the various tags and values that I can use. My understanding is with p=quarantine field, e-mails that fail the DKIM / SPF will still go through, but be marked as SPAM, instead of getting rejected. The fo=1 means if either SPF or DKIM or both fail, quarantine them. fo=0 would mean both have to fail. The rf=afrf means to send the reports in the Abuse Report format, which is defined by RFC 5965. The reports get sent to postmaster@example.com. I couldn't find a place in cPanel / WHM to have the system configure DMARC automatically. Does cPanel not have an option for DMARC yet? Thanks!!!!0 -
Does cPanel not have an option for DMARC yet?
in your cPanel > Domains > Zone Editor, Manage, find the Add Record button, on it's menu, select Add DMARC Record.0 -
in your cPanel > Domains > Zone Editor, Manage, find the Add Record button, on it's menu, select Add DMARC Record.
Thank you. I had already added it and got it working using the zone editor in WHM, but I decided to delete the resource record and do it the way you described. That's a nice interface! Most of the stuff I do is through WHM and not cPanel. I don't play around in there much. I figured it'd be in the WHM Zone Editor, but I guess it makes sense to keep it in cPanel, so other users who have cPanel accounts on your server can create their own DMARC records.0
Please sign in to leave a comment.
Comments
5 comments