We reject emails due DKIM selector different of "default"
Hello.
Is cPanel capable to verify DKIM selector different than "default" on incoming emails?
My server is rejecting emails due DKIM is published on another record different than "default", but headers of the email seems fine using "s=" to give us the selector to verify DKIM.
The headers are the following:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[DOMAIN.COM];
s=selector1;
So the email have the DKIM signature on selector1._domainkey, and it's right and well configured.
But we are rejecting this email having DKIM correctly configured because the selector is not default._domainkey, even s= parameter telling what selector we need to use.
Is a cPanel bug? Is there a configuration to allow this DKIM signatures?
I really appreciate your help.
Regards
-
I've not had this problem myself - I have a domain name with a selector of "google" (for Google Suite/Workspace email accounts) and a test email sent to my cPanel was received without problems....
However, I don't believe the default setup of Exim on cPanel does any filtering based on the DKIM settings. Can you see if there is a "acl_smtp_dkim" ACL setting in your exim configuration (added: even turning on "Reject DKIM failures" under Exim Configuration Manager > Basic Editor > ACL Options and sending from the Google account worked)
I would suggest checking the domain's DKIM record via services such as https://powerdmarc.com/dkim-record-lookup/ https://mxtoolbox.com/dkim.aspx or https://easydmarc.com/tools/dkim-lookup to confirm the remote domain actually has their DKIM records setup correctly...
[edit 2:]
To check things, it might be worth adding under Exim Configuration Manager->Advanced Editor under the log_selector section, "+dkim_verbose" (mine now reads "+all_parents +arguments +dkim_verbose +incoming_port +received_recipients +retry_defer +smtp_connection +subject"), then when an email comes in /var/log/exim_mainlog will show something like:
2024-06-14 15:06:19 1sI8VP-123450AFbb-1q4Y DKIM: d=example.com s=google c=relaxed/relaxed a=rsa-sha256 b=1024 t=1718377578 x=1718982378 [verification succeeded]
1 -
Thank you for answer.
I have setting ON the following exim configs:
- Allow DKIM verification for incoming messages
- Reject DKIM failures
I checked the domain with mxtoolbox and they have DKIM perfectly configured on "selector1". It's a Microsoft Office 365 email, in fact, customized with their own domain. DKIM fails on verify because "default" is empty, but s=selector1 tells that DKIM is in "selector1" so I don't know why my server is rejecting emails from this domain due DKIM failure.
It's an strange problem, really.
I will try the verbose on log, as you suggested, but it's difficult that client will contact us again to test it.
Thank you so much and regards.
0 -
No more clues on this topic?
0 -
cPanel itself doesn't support custom domainkey selectors:
https://support.cpanel.net/hc/en-us/articles/4402780648983-Does-cPanel-support-custom-DKIM-selectors
While it may be possible to use them, it would require manual configuration as outlined in that article.
0 -
cPRex is that for sending? I need it for receiving emails. I send with default selector, but I need to check DKIM of receiving emails with custom selector. It's annoying that well-configured email providers can't send emails to us.
0 -
Could you post the full Exim log, with the personal information redacted, so I can see how that is being processed on your system? I wouldn't expect the same restriction to happen on incoming emails, but I haven't personally looked into that.
0
Please sign in to leave a comment.
Comments
6 comments