Message not signed with DKIM?

[GoWilkes]

I'm working on email deliverability using mail-tester.com. My recent test returned a -1 for:

Your message is not signed with DKIM

The thing is... it is! cPanel shows "DKIM" is properly configured for this domain (and I triple checked that I'm looking at the domain I used to send the email).

Is this an issue with mail-tester.com, or something not configured properly in my cPanel?

 

[GoWilkes]

I see that someone asked this in 2019, and @cPanelLauren asked:

Is DNS for your domain hosted on your server? The only way in which the DKIM TXT record added on the server will function is if DNS is hosted locally. If it is not hosted locally you will need to create the DKIM TXT record when DNS is hosted.

That OP never replied further, so there's no further information. But to answer this in advance... yes, my DNS is hosted on my server

 

[cPRex]

Hey hey,

Can you run this command on the system to verify that DNS zone is working well?

named-checkzone yourdomain.com /var/named/yourdomain.com.db

That will check the zone file itself to make sure there are no formatting issues or errors.

 

[GoWilkes]

Seems OK:

zone example.com/IN: loaded serial 2020122204
OK

I checked, and my old VPS throws this same error on all of the accounts, so it's not specific to this one domain or anything. I don't have anything weird running; ClamAV, rkhunter, and CSF are the only things that should have any impact.

 

[cPRex]

I just did a test with the mail-tester.com site from my personal server and it didn't give me any errors on the DKIM entries.

Another test would be to send a message to Gmail. If you click the "Show Original" option they are now showing a nice summary right at the top of the page that shows if the DKIM passes or not.

 

[GoWilkes]

Well, Gmail says SPF, DKIM, and DMARC all passed, so I'm not sure why mail-tester.com has a problem. It's only a -1, but it's always such a struggle to make sure that potential advertisers get my emails that that 1 point could make a difference!

 

[cPRex]

Personally, I'd be inclined to trust GMail, as I'm not sure exactly how mail-tester does their reports. Maybe you could contact them directly for more details?

 

[GoWilkes]

After some discussion with a cPanel tech, I'm 99% sure that this is an error with mail-tester.com. It looks like dmarcanalyzer.com verifies that it's valid, too, so I think it's OK.

Another tech showed concerned that the DNS settings are splitting the DKIM p value improperly (it's splitting the value, but leaving the " off of the second half of the string), but that seemed to be irreparable with WHM/cPanel. And I'm not sure that it really matters, since dmarcanalyzer verifies it anyway.

 

[MattGarner]

Seems to be happening here as well - Seems a bit of a strange one, I wonder what has changed with mail-tester

 

[cPRex]

@MattGarner - can you let me know what errors you're seeing from the mail-tester tool?

 

[GoWilkes]

@MattGarner, I honestly don't know that I can continue to blame mail-tester. When I send emails to Yahoo or Outlook.com about half of them bounce, and there's no apparent explanation. The only solution I can find is this error; if mail-tester thinks that there's an error then it's possible that Yahoo, Outlook.com, and other sites use the same test.

 

[MattGarner]

@MattGarner - can you let me know what errors you're seeing from the mail-tester tool?

The score on mail-tester used to get a 10/10 and I'm not sure when this changed as it's not something I test on a regular basis but it's got to be recent in the past couple of months. The score is now 7.5/10 and according to the results it's due to DKIM.

"Your message is not signed with DKIM
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message."

I checked the DNS records for the domain and the "Email Deliverability" and the DKIM, SPF records are all in place. I even tried deleting the DKIM record and allowing cPanel to re-insert it just to see if it makes any difference but it didn't. It also doesn't seem to be one specific domain with the problem either.

I left some feedback on the mail-tester.com site to see if they made any changes with how they check for DKIM records and they came back with the following:

When you sign your email with DKIM, there are two elements :

1/ A DNS entry : a TXT record that indicates your public DKIM key.

2/ A signature inserted in your email that is generated based on your own private key and the email content.

When the receiver receives your email, it checks the inserted signature based on your public DKIM key and your email content.

You probably have a public DNS entry but apparently the message itself is not signed."

I then decided to test this on another control panel (not cPanel) that has a similar setup where it generates the DKIM and puts it into the DNS records for you. That test came back with a solid 10/10 and shows the DKIM public key and DKIM signature on the mail-tester.com result. Where as on the cPanel test message, the DKIM signature and public key is missing from the mail-tester.com result.

@MattGarner, I honestly don't know that I can continue to blame mail-tester. When I send emails to Yahoo or Outlook.com about half of them bounce, and there's no apparent explanation. The only solution I can find is this error; if mail-tester thinks that there's an error then it's possible that Yahoo, Outlook.com, and other sites use the same test.

Yeah I'm not really sure where the problem lies. It used to get a solid 10/10 and it seems any of the domains on the cPanel server is now downgraded to a 7.5 without any changes done by us personally.

 

[cPRex]

@MattGarner - did they give you any additional details on why that specific key had an issue? If there was a global problem with DKIM that would have been a major disaster that we would have heard about by now, as major places like Gmail and Yahoo would also be scoring messages negatively. If you can get some more details from them and how they are performing this work, I'm happy to investigate things on my end.

 

[MattGarner]

@MattGarner - did they give you any additional details on why that specific key had an issue? If there was a global problem with DKIM that would have been a major disaster that we would have heard about by now, as major places like Gmail and Yahoo would also be scoring messages negatively. If you can get some more details from them and how they are performing this work, I'm happy to investigate things on my end.

I've replied back seeing if they can shed any further details. I have noticed in test emails being sent to a Gmail account they are missing the "Signed By" section as shown in the screenshot below.

Back in December 2020 a test from the same email account did have the "Signed By" line on it.

 

[Lou888]

Hi

What's up here about this issue ??

 

[GoWilkes]

No improvements on my end, most emails that I send to Gmail or Yahoo still end up in their spam folder.

 

[cPanelAnthony]

Hello! I am unable to replicate any issues with DKIM from a test environment. Are there any SPF, DKIM, DMRC, rDNS, or other issues, when viewing the email headers of a message that was sent to spam?

How to find email headers