SOLVED Exim not adding DKIM on outgoing mail

[chris0147]

Hi all,

I need some help with DKIM. I have setup DKIM and spf in my DNS and when I send the email, it goes to inbox but the problem I have found that there is no DKIM have been in the header as only spf.

==========================================================
Summary of Results
==========================================================
SPF check: pass
"iprev" check: pass
DKIM check: none
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname: server.example.com
Source IP: 104.128.xxx.xx
mail-from: [email protected]

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: [email protected]



Do you know what I need to do to fix the issue?

Thanks in advance

 

[cPanelMichael]

Hello @chris0147,

Can you verify if the DNS for the affected domain is hosted on the cPanel & WHM server, or if it's hosted on a remote server? If it's hosted on a remote server, did you manually add in the DKIM TXT record? Also, what cPanel & WHM version is installed on this system?

Thank you.

 

[Martin Hinrichsen]

I had the same issue.. seems v78.0.17 turned off DKIM automatically for custom/shortened domain keys.
In my investigation, i noticed some new and improved DKIM management. If you used to do manual keys, of shorter length "1024bit"
For some compatibility with some DNS services, using console "openssl genrsa -out private.key 1024 or so" The key will not match c-panels auto generated key that you see in "Email Deliverability" thus disabling DKIM signing for that domain.

Go to the respective account('s) > EmailDeliverability . There you will se that the key failed. Update your DNS DKIM records with the key provided by c-panel(remember to remove the ; at the end of the key) and run the test again(When DNS has updated). You should now get a message in the likes of something like: c-panel has found 1 domain which had DKIM disabled, even though they was valid and that it is now enabled again.(Cant remember the exact notice)

I am not sure that shortened keys ca work with this new feature, so lets hope your provider has updated their DNS service to handle long keys. Namecheap was the one i used short keys for, and fortunately, they recently updated there max string length.

Unfortunately, I now have to go through a ton of domains, as well as respond to angry customers who got there mail bounced, as well as wait for servers to delist our ip.

Someone made a boo-boo

On the bright side, the new Email Deliverability manager is miles better than the old one.

 

[cPanelMichael]

Hello @Martin Hinrichsen,

Could you open a support ticket so we can take a closer look at your system and review the DNS zones for any domain names that you have yet to manually fix? This will help us to determine if an internal case is needed. You can post the ticket number here and I'll link this thread to it.

Thank you.

 

[Martin Hinrichsen]

Update:
The updated keys do not work, as the system is still using the old keys, it is just testing against a new key which is not active.
No way to force enable DKIM regardless of status.
System is not updating public keys in /var/cpanel/domain_keys/public/* & private/*

possible workaround could be to manually update the keys in /var/cpanel/domain_keys/public/* with the keys in /home/"account_name"/public.key

Support ticket opened: 11674391

 

[RalphOtowo]

Hi,

I have the same issue. After a cPanel/WHM update, emails no longer appear to include DKIM when being sent.

@Martin Hinrichsen, your response was very helpful. Have you managed to fix this?

 

[cPanelMichael]

Hello @RalphOtowo,

Did you manually create the DKIM keys for the domains on the affected system? Or, were these all DKIM keys generated directly through cPanel & WHM? If you created them manually, can you share the specific steps you took?

Thank you.

 

[Martin Hinrichsen]

Hi,

I have the same issue. After a cPanel/WHM update, emails no longer appear to include DKIM when being sent.

@Martin Hinrichsen, your response was very helpful. Have you managed to fix this?

Sorry for the late reply. Did not see a notice anywhere.. But yes, I fixed it by simply deleting all my keys in the /var/cpanel/domain_keys/public/ Using the deliverability manager to generate new keys, and updating all the domains DNS manually.

It was a bit of a pain, not to mention that I lost my mitigation with hotmail/outlook and I am now again in the painful process of getting de-listed by microsoft.

But the new system is way easier to go about.

 

[Fluxan]

Having the same issue after our system updated to v78.0.20. DKIM signatures missing from outgoing mail.

DKIM signatures and DMARC verification was working perfectly before the update 2 days ago (had previously been configured using Cpanel/WHM, no custom or manual mods). Just noticed the last 2 dmarc reports showed DKIM failures. After running test messages, none of our domains or client domains are adding DKIM Signatures to outgoing messages. The Deliverability panel claimed everything valid and properly configured. Everything is controlled by WHM/Cpanel.

I've now manually deleted the previous keys and regenerated them using the Email Deliverability manager. WHM/Cpanel manages the DNS and appears to have updated the txt records correctly, but still there are no DKIM Signatures being added to outgoing mail for any domains. Spf, ptr, and dmarc all are valid and working.

Not sure what else to try at this point. Is there a way to manually force the headers?

Thought I would chime in since this is a sudden and apparently non-isolated issue associated with the latest WHM 'LTS' update.

 

[Fluxan]

After further testing, exim.conf is not properly detecting the condition under dkim_lookuphost:

condition = "${perl{sender_domain_can_dkim_sign}}"

If this condition is manually commented out in exim.conf, everything gets signed and authenticated properly. The previous version did not use this condition, instead it verified that a key existed for the sender domain.

Not an ideal fix, but it at least patches things temporarily.

Final update for anyone having a similar issue, exim.pl.local was the culprit, patched it to include the new perl function and all is good now!

 

[cPanelMichael]

Hello @Fluxan,

The workaround you provided should not be required in order for DKIM to function properly. Can you open a support ticket so we can take a closer look at your system to see why it's not working when that workaround is disabled? You can post the ticket number here and we'll link this thread to it.

Thank you.