Enable DKIM for PHP e-mail send() function?

[lahautel]

Hi,

My website sends welcome mails to my new registered users with a PHP script and the classic PHP mail() function. I've activated and configured correctly the SPF (via CPanel) mail authentification service, that works fine, even if I had to make an manual change of the TXT record in DNS due to a wrong x10hosting mail serveur ip address (Yahoo Mail gives the following feedback :
"Received-SPF: pass (domain of domain.xy designates 198.91.80.251 as permitted sender")

I've also activated the DKIM mail authentification system via the CPanel. In the x10hosting documentation :

https://x10hosting.com/blog/creating-spf-dkim-records/

they say that the enabling DKIM activation process should give me back the "current raw DKIM record for your domains" (with the public DKIM key I suppose). But the CPanel apparently doen't give me back this record and so I cannot include the public key into the header of the mail my PHP script sends. But the CPanel displays that DKIM functionnality is enabled...

Yahoo mail gives the following feedback for mail sent with the PHP script (and some other email server consider those mail as spam or simply delete them without any feedback):

"Authentication-Results: mta1027.mail.ir2.yahoo.com from=domain.xy; domainkeys=neutral (no sig); from=domain.xy; dkim=permerror (bad sig)"

Do I miss some information or do I look at the wrong place ('Email Authentication' in CPanel) to get this record information? Any idea or experience about how to enable DKIM on Free x10hosting?

Many thanks for your lights about it

Laurent

 

[lylex10h]

I'm not 100% on the public/private key thing but 1. Use webmail to send message from whatever@domain.xy to external account. 2. Check headers in received message of external account. 3. Key should be in those headers.

 

[lahautel]

Thanks Lylex! Good way to investigate. Unfortunately the mail header does not countain the DKIM public key but only header and content signatures generated by the x10hosting mail server (diffrent for each new mail). The generated mail header contains also 2 other different attributes : d=domain.xy and s=selector ( [selector]._domainkey.[domain] txt record on dns contains the public key). When the receiving mail server gets the mail, it process the two signatures of the mail header and the public key of the DNS to check the mail authenticity.

When you enable SPF via CPanel ('Email Authentication') it automatically add a new corresponding TXT record with the necessary SPF data (even if sometimes you have to correct it). But when you enable DKIM, the CPanel just tells you that it has been enabled but no new TXT record with DKIM data (public key) is added to domain.xy DNS...

So the question remains: where can we find the DKIM public key to add to domain DNS?

Does anyone has an idea? Thanks a lot!

 

[lylex10h]

Use dig, nslookup or sites listed at https://protodave.com/security/checking-your-dkim-dns-record/
Example of my domain kolbys.net:

dig @ns1.x10hosting.com default._domainkey.kolbys.net txt

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.x10hosting.com default._domainkey.kolbys.net txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35458
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;default._domainkey.kolbys.net. IN      TXT

;; ANSWER SECTION:
default._domainkey.kolbys.net. 86400 IN TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArIuoeM0wzZUYCFq4eqqcBbv9wLOyVTnC5FIMW6HgI6MtgL5JHpwaAdp8rVaVQnz7qTZ7MkVKzpC3Sp+5oxs00YUYYx/9MuQWgAsJ8h/xu9IEGvKXrU4fQtvBBV4qknn/JV2pAkaDdrHiFzQyRSDbxjW693ceMkpgDgjmTz1GrzPHvT2OjzQYhl24Lkf+ruqB1" "AAsYdCLr/shOqG1xQ9qUz3F60IlkFoUoyzYgFhLatHPiPgttAWiuveSB292sl5cFxjMJP7Xz+d+DD+P9SefoDyr9ISntd3xvPPY1otGCfUqoikOLM/oiXi2upLS3aw/SPJiyseTXkIA2tCPRHpVaQIDAQAB;"

 

[lahautel]

Great, I've found the DKIM public key. Thanks Lylex! But on the other hand I realize that, at the opposite of what I was thinking a few hours ago, a TXT record has been created by the CPanel when enabling DKIM. But not into domain.xy domain but into default._domainkey.domain.xy subdomain. So the DKIM public is available for the incoming mail server in order to check e-mail authenticy with signatures contained into the received e-mail header. At Yahoo Mail I got for instance the following DKIM header into a trial mail I've sent:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain.xy;
     s=default; h=Message-ID:Reply-To:Subject:To:From:Date:
    Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Cc:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=bi32Wzf/T2r7Tq0FuFvjIuCMbg/Zb0PxuwfT8jpl/0Y=; b=NUGaBEffW6eJ7XfGynbKDL1URT
    8/UzbImg02BnjZEmx3YCeJSVxt7ThoLXjZCLH+BYK/jr/bqMSmN4PfA3Ch2xdLeNBjAUaFPUofoUP
    SJCq10nZgDlLE65SF8nVsVA7alTL+GImBnD263+xye+ehF7yCAtfUGyLKOf7iYFDU2LNK7oIhQjfX
    AW0D7B6uTJ+9ocUyC3Cz8kPCroNJciCkwD5w1uCvoVjhTfqyo42GzV6Yg7psqdSFl8gKvECIJb1/u
    5d6fkGkfmRrJcyVvj2B3TMAuQq64r6Y7hZDpV/XKzhQ4IlnNyQ33m+oWPlOnMb63ohD5q+gJ0K8li
    riIDNL/A==;

but Yahoo Mail add also the following line into the received mail :

Authentication-Results: mta1070.mail.ir2.yahoo.com  from=domain.xy; domainkeys=neutral (no sig);  from=domain.xy; dkim=permerror (bad sig)

The DKIM TXT record generated by x10hosting with the public key is the following:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQpDKr7ug2nb9WqIjDL3aKw0HHlOyeOKOxRma7zpZ0SE6nQF28vdDKLQbR6UELQWeLKcJ1CAYcy2781PhH1n8Ia2LmyNhBsRSOOyB+ogGL1N18HsHPYMaEmvH7rFdh6SgWZaOppaSYhxincA/TOeu4fdN5f/Whs7rVxFTFrceGflqIcaSdZXupOMw9J47OJOL" "FkpTI4DGRND4vgWqabUj9AaNbO/V/VkteoiwVL/QGdX/GPf6yk8xzFxG/3k7pxymunYkC2QQb5KyuVzcYY1+1smvtrEDZs77Z3tgSs5WQgr5OTpXFIP50YZqkEk2jHdx/e2xDFBS8b/D4GoQ/kDAQIDAQAB;"

What seems strange is that x10hosting says the DKIM public key type is rsa (k=rsa) and Yahoo Mail apparently waits for rsa-sha256 (a=rsa-sha256). Could this have a negative impact on the DKIM authentification process? If not, I don't understand why the DKIM authentification process fails on Yahoo Mail Server (and apparently on other: Hotmail (Outlook) server considers trial sent mails as spam). It's a little bit frustrating: everything seems to be alright on both outgoing and incoming mail servers but DKIM authentification fails... Any idea?

 

[lylex10h]

Not sure about Yahoo but Hotmail/Outlook thinks everything that comes from x10hosting is spam. Just one of the costs of free hosting.
Does Gmail give you any problems? Mine just state DKIM: 'PASS' with domain kolbys.net
Do you have the same problems when sending from webmail with @domain.xy accounts?
Check your DKIM records at https://mxtoolbox.com/dkim.aspx . The selector should be: default

 

[lahautel]

Thanks Lylex! Concerning Hotmail/Outlook, mails from x10hosting are apparently not considered as spam because of x10hosting being on a blacklist but because Hotmail/Outlook DKIM authentification is definitely too strict: if you don't have your own mailserver directly tied to your domain and your mails are sent through your provider mailserver (in our case x10hosting), Hotmail/Outlook considers them as spam because in the mail header the domain specified as the origin of the mail (from x10hosting...) is not the same the domain referenced into the DKIM signature (the domain from where the incoming mailserver requests the public DKIM key : domain.xy). So you will have exactly the same problem with hosting on other providers if you have to use mailservers of those providers to send your mails. For more information, see :

https://blogs.msdn.microsoft.com/tz...es-dkim-a-little-differently-than-office-365/

 

[lahautel]

Finaly found the problem: there was an... HTML tag syntax error in the mail. A tag was splited with a linefeed inside of it. After correcting this error, the DKM has started working fine. But it's strange that DKM process is sensible to the correctnes of HTML syntax of the HTML message included into mail. But at last it works. Lost hours and hours just because this small error. Thanks a lot Lylex for your support! Have a nice week-end. Laurent