Generate 1024-bit DKIM keys

[Per Hlom]

MODERATOR NOTE: We've removed this post as there should no longer be issues with 2048 keys. If you're seeing an issue with that key length please let us know the specific issues you're running into so we can investigate that.

 

[cPanelMichael]

Hello,

I've moved this thread to our "Workarounds" forum. Keep in mind that cPanel updates will overwrite the /usr/local/cpanel/Cpanel/DKIM.pm file, so you may need to manually patch it after each update until a resolution is reached on the remote DNS provider's interface.

Thank you.

 

[BottNet]

Great work around! This REALLY still needs to be address in CP itself as A LOT of places do not accept anything over 1024 including ENom. CP should allow you to select the key type 1024 or 2048 before generation. IMHO

 

[Xavier Crespin]

I agree, this issue needs a permanent fix ASAP, OVH DNS service does not support 2048 bit keys either.

 

[letmein]

Although my external DNS servers accept 2048 bit keys perfectly, I noticed that Microsoft (live.com, hotmail.com, etc.) is unable and/or unwilling to verify 2048 bit keys (dkim=temperror), which forced me to lower the size of DKIM keys for domains that use online mail forms.

To avoid having to edit certain settings after updates, I use this method to create keys per domain:

1. in the user's home directory, generate a 1024 bit private and public key:
   

   # openssl genrsa -out private.key 1024
   # openssl rsa -in private.key -pubout -out public.key

2. backup your old key:
   

   # mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domaint.tld.old

3. move the newly generated private key to its proper location:
   

   # mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld

4. set ownership and permissions:
   

   # chown root:mail /var/cpanel/domain_keys/private/domain.tld
   # chmod 640 /var/cpanel/domain_keys/private/domain.tld

5. update your DNS record with the new public key that you will find in public.key:
   

   # cat public.key

Tested on CentOS 6.8 x86_64 with cPanel 60.0 (build 26).

 

[lapsutrix]

Hi letmein
Thank for that. following this, everything is ok now but when i do the email to gmail.com i see the error "DKIM: NEUTRAL with domain null"
I have tested with dkimcore.org/c/keycheck, it is ok

do you know where is the problem how can i check on it?

thanks

 

[letmein]

I have tested with dkimcore.org/c/keycheck, it is ok

I wouldn't rely on just one test. You can verify your settings with multiple parties like dkimvalidator.com and mail-tester.com. Enabling and keeping an eye on DMARC-reports may also provide more insight.

Based on the single error (generated by which party? Google? what do other receiving parties say?) you posted, my guess would be that your SMTP does not sign your outgoing mails correctly or does not sign them at all.

 

[Loneweaver]

Around line 24, set the key size to 24:

@cPanelMichael Is this a typo? Is it 1024 or 24?

 

[cPanelMichael]

Hello,

Yes, it looks like a typo by the original poster. That should show "1024".

Thank you.

 

[KaiserTom]

Thank you @letmein this has solved a problem we've been having for some time now.

Although my external DNS servers accept 2048 bit keys perfectly, I noticed that Microsoft (live.com, hotmail.com, etc.) is unable and/or unwilling to verify 2048 bit keys (dkim=temperror), which forced me to lower the size of DKIM keys for domains that use online mail forms.

To avoid having to edit certain settings after updates, I use this method to create keys per domain:

1. in the user's home directory, generate a 1024 bit private and public key:
   

   # openssl genrsa -out private.key 1024
   # openssl rsa -in private.key -pubout -out public.key

2. backup your old key:
   

   # mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domaint.tld.old

3. move the newly generated private key to its proper location:
   

   # mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld

4. set ownership and permissions:
   

   # chown root:mail /var/cpanel/domain_keys/private/domain.tld
   # chmod 640 /var/cpanel/domain_keys/private/domain.tld

5. update your DNS record with the new public key that you will find in public.key:
   

   # cat public.key

Tested on CentOS 6.8 x86_64 with cPanel 60.0 (build 26).

 

[cPanelFelipe]

Just to float an idea, do eNom et al. handle ed25519 keys in DKIM?

There is no standard for ECDSA keys in DKIM, but ed25519 would provide key sizes that easily fit within a DNS character-string, which I assume is the problem with 2,048-bit RSA in DKIM.

 

[Gabriele Lo Surdo]

I solved my issues with hover.com (not supporting 2048-bit records) following a slightly modified version of the @letmein instructions.

Please find below the commands I used. Replace "user" and "domain.tld" with your username and your domain.

cd /home/user

openssl genrsa -out private.key 1024

openssl rsa -in private.key -pubout -out public.key

mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domain.tld.old

mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld

mv /var/cpanel/domain_keys/public/domain.tld /var/cpanel/domain_keys/public/domain.tld.old

mv /home/user/public.key /var/cpanel/domain_keys/public/domain.tld

chown root:mail /var/cpanel/domain_keys/private/domain.tld

chmod 640 /var/cpanel/domain_keys/private/domain.tld

After entering all these commands go to your Cpanel dashboard, click on "Email Deliverability", and then on the "Manage" button next to your domain name. There you can find the DKIM record details.

 

[siteturbo]

I solved my issues with hover.com (not supporting 2048-bit records) following a slightly modified version of the @letmein instructions.

Please find below the commands I used. Replace "user" and "domain.tld" with your username and your domain.

cd /home/user

openssl genrsa -out private.key 1024

openssl rsa -in private.key -pubout -out public.key

mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domain.tld.old

mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld

mv /var/cpanel/domain_keys/public/domain.tld /var/cpanel/domain_keys/public/domain.tld.old

mv /home/user/public.key /var/cpanel/domain_keys/public/domain.tld

chown root:mail /var/cpanel/domain_keys/private/domain.tld

chmod 640 /var/cpanel/domain_keys/private/domain.tld

After entering all these commands go to your Cpanel dashboard, click on "Email Deliverability", and then on the "Manage" button next to your domain name. There you can find the DKIM record details.

Worked perfectly. Thank you!!!