How to Enter DKIM record into DNS Zone

[sukrub]

Hi:

I have a rather simple question, that I could not find an answer.

I am trying to enter DKIM into DNS zone for the domain myTestDomain.com

I have a dedicated server hosting about 20 domains.

I have my DNS zone in goDaddy and Current DNS for myTestDomain is
@ aaa.bbb.ccc.ddd
mail aaa.bbb.ccc.ddd

GoDaddy claims they have not heard of DKIM, therefore they do not support it.

My hosting company says
"I can support the systems offered here but not really advise on godaddy's support or abilities.

Have you considered using name servers on the cpanel server here as they do all this and manage it for you? I can also provide support for these."

I would like to keep things not changed, or change them one at a time (I have just switched hosting company). So I would like to create a TXT record in goDaddy DNS zone with the cPanel supplied DKIM key.

I have the following raw DKIM ( edited ) in cPanel under Email Authentication for myTestDomain.com

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgPTREEAva4y0+jFeeSZXZqrcdDjU+BZGF5nyT6RZVnU6rkFv+SHt0pnNHPoTUbmNp8LGsWEMQgfYpLoro/iZ9BvyoBC3hPj9/7yhiHd85EJqbU0rbNV/netPPT1MRzY83wMS0cPnMBdh1J1e26yXgJ2B6ccyOj+DUrSbM35lko8EOG6sLXXsGJZMfRV2MLGzuncE9Sq7" i4Io61wnkPYVd6mDeyWy/7hn9+l3jY62iwRBLdhjfjj3csbdOSqqyYN3Arg1Ad7+EGbEf7Qv4E5SLWdxINa0zELJzxrTOPJ8ZZG7cUMh5TYJb1TXvLnCDcGEnqJsLXf56dCST5mNlni9EtEj5PAMwIDAQAB\;

in goDaddy, Under add TXT record, what do I enter EXACTLY for the following 2 fields.

HOST:

TXT Value:

 

[cPanelMichael]

Hello

For "host", enter:

default._domainkey

The TXT value is the actual record, including the quotes, depending on how your specific DNS provider handles the entries.

Thank you.

 

[Kevin Andrews]

And therein lies the rub . . .

I also have been trying to deal with GoDaddy, and they seriously said they don't know what DKIM is. The first person I talked to on chat told me that I should put @ as the host. Which I knew was wrong, but she insisted. I gave up and tried phoning. That person was more helpful but he also had never heard of it. "What is it? DKI? What is it? Are you trying to register a domain name?"

He finally checked with someone else and found out what it is, but he couldn't tell me the answer to this question. He said, "That's a custom DNS so we can't help you with that." My hosting provider similarly pointed at GoDaddy and said I'd have to ask them.

The problem is that the format in which cpanel provides the DKIM record is not the same as GoDaddy. There are no quotes around it in GoDaddy, and it doesn't have a trailing ;/ So, simple right? Just remove those. But it is more complicated than that. My cpanel generated DKIM actually had two lines. There was a quote at the beginning, and at the end of the first line, right in the middle of the record. On some. But not all.

Anyway, I tried all the various permutations that occurred to me to use, with quotes, without quotes, with trailing slash, etc. And of course, each time, waiting from 10 minutes to several hours for DNS propagation each time. But I haven't made any progress at all.

I'd sure like to find an answer to this question. And also to suggest that since cPanel is so widely used and GoDaddy is also a major provider being used by so many, that perhaps GoDaddy and cPanel can arrange a meeting of the minds and come up with an instructable on how to enter cPanel DKIM records into GoDaddy DNS.

 

[Kevin Andrews]

I submitted a ticket to cPanel support after spending hours working with a host of experts, each of whom offered conflicting and sometimes painfully ignorant solutions, none of which worked. Having spent an entire day working on it, I submitted the ticket and went to bed.

When I woke in the morning, I found a response from cPanel in which the problem was clearly identified and solved.

"Basically, when a TXT record is longer then 254 characters, it is split. This should be appropriately split into two separate strings, which would then be combined in the record itself." (from the cPanel response)

Based on this revelation, I resolved my problem by copying the cPanel DKIM record into a simple text editor with word wrap turned off, then removed all quotes from the record and removing all spaces and line breaks from the "p=" portion of the record, along with the trailing /; so that the record was one long string, and pasted the record into GoDaddy. After saving and waiting 10 minutes, test emails were passing DKIM.

Note that GoDaddy has their own way of doing this. Specifically, they do not want to see quotes included in the record. If your DNS is with GoDaddy, this should work for you. If with someone else, you may need to adjust accordingly.

 

[cPanelMichael]

Hello Kevin

Thank you for taking the time to not only report this issue on our forums, but for also updating this thread with the outcome after finding a solution via a support ticket. We find great value in this type of feedback because it helps us to improve our documentation, and create solutions that will improve the user experience. We now have an internal case open with our documentation team to come up with the best way to advise users on how to configure their DKIM records on specific providers, similar to how we do so for name servers on this document:

How to Set Up Nameservers in a cPanel & WHM Environment - cPanel Knowledge Base - cPanel Documentation

I'll update this thread with more information when this document is released.

Thank you.

 

[Solokron]

We are seeing the same issue with a client with cpanel generating the following and DNSMadeEasy not accepting because it is producing a total of 441 characters for the text area.

 

[Zoop]

Hey I just wanted to add, most providers and services refer to http://dkimcore.org/tools/ for validating the key, and about 7 out of 10 keys that CPanel generated for me did not validate through this tool (this is my workflow now, first check it with that site, and then modify they key until it does validate before using it).

 

[Zoop]

Oh and what Kevin said makes total sense, now I know what to look for, why and when.

 

[havok89]

We are seeing the same issue with a client with cpanel generating the following and DNSMadeEasy not accepting because it is producing a total of 441 characters for the text area.

I am being given a total of 441 characters too and fasthosts just wont accept it.
When contacting their support im just being told to get a shorter DKIM key which doesnt seam possible

 

[Chris Strzelczyk]

I am being given a total of 441 characters too and fasthosts just wont accept it.
When contacting their support im just being told to get a shorter DKIM key which doesnt seam possible

This is a case of standards pushing providers and the providers sadly have not caught up yet. I spoke with DNSMADEEASY and they state that you can add the value in two parts.

"part one" "part two"

They haven't made this trivial nor is it documented anywhere. I haven't tried this yet, but I'm going to give it a whirl later tonight. I suspect that part one needs to be 254 chars max. Cpanel currently does the splitting for you, but it does not add the correct amount of double quotes.

QUESTION:
What if we wanted to go to a 1024 bit key length? Is that possible? Could we run openssl genrsa..... and replace the files in /var/cpanel/domain_keys/[private|public] with the new values? OR do the keys get entered into some database table as well?

I think Google Gmail still supports 1024 bit keys and up. So this may work as a short term solution for customers dealing with DNS providers that have not caught up to the standards.

Cheers,
-cs

 

[cPanelMichael]

Hello

We are in the initial stages of communicating with the remote DNS providers referenced on this thread in order to come up with a solution that makes it easier for users to directly copy and paste the DKIM record generated in cPanel to the interface provided by their remote DNS provider. I'll update this thread with more information as it becomes available.

Thank you.

 

[BottNet]

Hello...Same issue with Enom. Even right on their page it reads "NOTE: Due to the limitation of our Host Records maximum length, we only support up to 1024 bit DomainKeys."

Support for DKIM or DomainKeys on our DNS

THIS 100% is very bad that we are now forced to use the new key vs 1024. This has totally messed us up at this time and we have NO RESOLVE for it. How can CP not be all over this very wide spread issue that is affecting SO MANY people. Give us back 1024 or give us the option to select what to use.

This is very poor to say the least.

 

[BottNet]

BTW...Even [email protected]25.com checker says the key is not right...

Result: permerror (invalid key: error reading public key:
139679786096384:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
long:asn1_lib.c:142:;139679786096384:error:0D068066:asn1 encoding
routines:ASN1_CHECK_TLEN:bad object
header:tasn_dec.c:1306:;139679786096384:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_PUBKEY

 

[Deleted member 661191]

Hi,

I contacted to NamCheap by support ticket that they doesn't support 2048-bits for DKIM txt record but only supported 1024-bits because I'm purchased to PremiumDNS from Namecheap.com

There is online tool like 1024-bits? I tried to contacted to OVH that not support provide like Control Panel but only server, hardware issues. OVH suggested me to Google search and nothing which best option in 1024-bits. I'm using CentOS 7 - 64-bits + root administrator.


Thanks, Brendan Wheesk
PS: I'm not good English if not clear or understand.

 

[cPanelMichael]

Hello...Same issue with Enom. Even right on their page it reads "NOTE: Due to the limitation of our Host Records maximum length, we only support up to 1024 bit DomainKeys."

Hello,

A user has submitted a manual workaround on the following thread that you may find helpful:

Generate 1024-bit DKIM keys

We are still in the process of communicating with these providers to support the DKIM entry as we present it in cPanel. I'll update this thread with more information as it becomes available.

Thank you.

 

[feta]

Hello,
So I´m trying to fix this same issue and I have a question, how did you split the DKIM record? And where did you write it?
Thanks!

 

[cPRex]

@feta - on my personal system, the domain key is split like this:

default._domainkey      14400   IN      TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BXXXXXXXXXXXXXXXXXXAt6BVINLKyWvDpVA2r8dmjqiMdISgm22ElExeditX57ilawGE9x1dNMM9k6qiKATkStakoM8edoUtqywj6PCnWE+Tq0cB1TIMuSKhKJqoiuMSKFjI9IJa4WGd4IotQHhCC3j208wwQa5gVG5Xu//z3QGvoTHfTpaAN3UER1UYBlz+KnFK/dG74TZz2pMVHa6mo" EBnBEDy8TZXuMoV/5osnt/zgWvIE3JS6QnAoUlfsxRMYnGv4FIKEA0XnAiLTLRgwVUdRag6njWpc1p1J6pMwoqlNGW+d4oj8B2eS4rIJyePHS3yJLX+vjjfoH9gT2rUtlFBWE/as+4D1NZCVRDqwQIDAQAB\;

so you should be seeing that format already. Do you not see that in your DNS zone file?