DKIM help

Discussion forum for Enterprise Edition.
Post Reply
rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

DKIM help

Post by rfwilliams777 »

I have DKIM set up in the DNS and in ME but my domain williamswebsolutions.net has a longer encryption or longer bit. I got an error (see below). Another post suggested that I need to make multiple TXT entries. I would like some assistance if that is true so I do it right.

MailEnable: Message could not be delivered to some recipients.
The following recipient(s) could not be reached:

Recipient: [SMTP:info@tahoeupshirtcreek.com]
Reason: 550-DKIM: encountered the following problem validating


Message contents follow:

DKIM-Signature: v=1; c=simple; h=Reply-To:From:Sender:To:Subject:Date:Message-ID:MIME-Version:Content-Type;
d=williamswebsolutions.net; s=wws; i=info@williamswebsolutions.net; a=rsa-sha256;
bh=MRYKCd5YMwUVlAuMoyq6trAtPDJdaYMM6B3XFBKIj2E=;
b=JoruCaODpiQFZADukemdrXes37/fvO9sXhQnFAUaPxKxdy9Of7WZPJkd+0iY0wE+p
uVZ3u04McIITSsPE5WADkzw70xD4iqX31Iv7lF1Y4SVwTsbjErWGIi7ek1s+v3kfgjs
RO1FfuOtRDiUPHn85blcXKyqzVBMaRQ0RzpsWm9aAeyU5YiZIQ1qzZBz60sW5kVZ+h9
XNRGg+bxob6fEi2JqSOvn/OaCRKFSySrlkNsZmivGIeL1BH9GJ2KTLRuAQcpiZN771o
hUsLhbYyEl6VMHeBPlycIwUPf1CnT3a0p2BgmZK9tVNiYAmpLnLi25z3yhO/gefV011
ZNRmYSl8A==;
Received: from wws010 ([208.80.175.163]) by williamswebsolutions.net with MailEnable ESMTP; Wed, 4 Nov 2015 10:56:29 -0600
Reply-To: <info@williamswebsolutions.net>
From: <jawilliams@williamswebsolutions.net>
Sender: "Robert Williams @ Williams Web Solutions" <info@williamswebsolutions.net>
To: <info@tahoeupshirtcreek.com>
Subject: clothing
Date: Wed, 4 Nov 2015 10:56:22 -0600
Organization: Williams Web Solutions
Message-ID: <001401d11721$bc659ab0$3530d010$@williamswebsolutions.net>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0015_01D116EF.71CE8610"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdEXIbvZ7Q2n89rIRNy/b+TJS6rhZA==
Content-Language: en-us
X-ME-CountryOrigin: US

This is a multipart message in MIME format.

------=_NextPart_000_0015_01D116EF.71CE8610
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0016_01D116EF.71CEAD20"


------=_NextPart_001_0016_01D116EF.71CEAD20
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: DKIM help

Post by Brett Rowbotham »

I ran the SPF/DKIM test at https://www.mail-tester.com/spf-dkim-check on your domain and selector and got the DKIM result "No DNS record found for wws._domainkey.williamswebsolutions.net".

I do see you have a TXT record for DKIM but it is definitely not named correctly.

Cheers,
Brett

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: DKIM help

Post by rfwilliams777 »

Can you please advise on how I can fix that? Is there a website that helps with doing this correctly. I followed one and obviously got it wrong.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: DKIM help

Post by Brett Rowbotham »

The fix is simple enough - your TXT record for DKIM currently has the name williamswebsolutions.net whereas it should be named wws._domainkey.williamswebsolutions.net in order for DKIM processing to correctly locate the relevant TXT record.

If you are using the DNS service from Windows then simply create a subdomain of williamswebsolutions.net called _domainkey and then add your DKIM TXT entry to that and name the record wws (which is your selector).

Cheers,
Brett

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: DKIM help

Post by rfwilliams777 »

I did what you suggested and got the following response when I did the test.

DNS record for wws._domainkey.williamswebsolutions.net:

"v=DKIM1\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqzNWt9RHrbaufG45ZAUUxk40DgYk/RTZFTjysqcNBuXSuGEyPV1thnWxXHi1UPZB1LMqOvw2VgoYIhb8WdYleVqRnv9MM"

We were not able to retrieve the key length, there is maybe an issue in that key

The key is at 2048.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: DKIM help

Post by Brett Rowbotham »

Yip, your key is way too short. The entire key runs to the second semi-colon so you need to update the record content with exactly what ME gave you as the string for the TXT record.

check out nkosi._domainkey.knowbase.co.za for an example of what the key should look like.

Cheers,
Brett

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: DKIM help

Post by rfwilliams777 »

Below is a copy of the key generated by ME and is in the DNS.

v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqzNWt9RHrbaufG45ZAUUxk40DgYk/RTZFTjysqcNBuXSuGEyPV1thnWxXHi1UPZB1LMqOvw2VgoYIhb8WdYleVqRnv9MM87nG79b2L9VEsnxOL07ZvOqMix9xdzb/apwfsX9buDbbukPZe3a+LHIV6w6GJhFLAzJVhXfxUr+fI+tf7SHmrjfiSkRzpc+I+v+Y+efnOerOpMdnYCJ46Yc2gRm9js04QuBk5N2jlwy3ZEqcJVsji2aE92fgp7C+a1sKsCmjWr8VfAPOV+26wzbHofNMzux1/+8gAgEvdVqnf68R/U9ROiPKevesyr8UiamCapVtx+XyQs14jA7H6UUhwIDAQAB;

But when I run the test, it only gets this far
v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqzNWt9RHrbaufG45ZAUUxk40DgYk/RTZFTjysqcNBuXSuGEyPV1thnWxXHi1UPZB1LMqOvw2VgoYIhb8WdYleVqRnv9MM
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

dbly
Posts: 54
Joined: Wed Aug 20, 2008 9:18 pm

Re: DKIM help

Post by dbly »

You don't have the full key in DNS. You can check it from the command prompt like this:

C:\>nslookup -type=txt wws._domainkey.williamswebsolutions.net

The response you are getting is looking like this:

Non-authoritative answer:
wws._domainkey.williamswebsolutions.net text =

"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqzNWt9RHrbaufG45ZAUUxk40DgYk/RTZFTjysqcNBuXSuGEyPV1thnWxXHi1UPZB1LMqOvw2VgoYIhb8WdYleVqRnv9MM"

Whatever you are doing to update the DNS is apparently truncating the entry. What are you using for DNS?

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: DKIM help

Post by rfwilliams777 »

Windows DNS
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

dbly
Posts: 54
Joined: Wed Aug 20, 2008 9:18 pm

Re: DKIM help

Post by dbly »

That explains it -- Window's DNS can't handle TXT records longer than 255 bytes. Regenerate your key as 1024 bits, and the shorter key will fix within your DNS constraints.

rfwilliams777
Posts: 1370
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: DKIM help

Post by rfwilliams777 »

Got it!
Thank you very much for your help and patience.
So will I need to do the same thing as that I did for the other domains and email accounts I host with the adding the subdomain and all that? They are all hosted on the same server. Their bit length is 1024 by default.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!

dbly
Posts: 54
Joined: Wed Aug 20, 2008 9:18 pm

Re: DKIM help

Post by dbly »

Yes, since DKIM is on a per-domain basis it will need to be done for each of the domains.

I prefer to set up SPF, DKIM, and AutoDiscover records all at the same time since each of them require modifying the domain's DNS.

dbly
Posts: 54
Joined: Wed Aug 20, 2008 9:18 pm

Re: DKIM help

Post by dbly »

Also, don't forget to create your policy record in DNS. At the very least you should have

_domainkey TXT t=y; o=~

t=y means testing
o=~ means that SOME messages are signed

Once you are sure that things are working, remove the t=y;

and if ALL of the email for that domain flows through mailenable and is signed, change the tilde to a hyphen ( o=- ) to indicate that all messages should be signed and any unsigned messages should be discarded.

Post Reply