DKIM issues - dkim=neutral (no key) and other errors

0
votes

I'm trying to upgrade my PHP DKIM from Sha1 to Sha256 and getting errors. I tried many things (as follows), basically gmail fails to authenticate my signature with all sorts of errors (as follows). My message header is:

    ARC-Seal: i=1; a=rsa-sha256; t=1531129068; cv=none;
        d=google.com; s=arc-20160816;
        b=AbkKcrsMJTl1UsVer0iTqShaCPEbef/33ABSdCP6FB6BvWeOVnmE4xNIcJjZTXwE8B
         OuwXkIa26k4i8I6NqSSCwnQoa1QENQCnMSFUJX9hxQa774BMmME+1c2AP7h7Jb7ug8Z8
         9EYXQCuJNLs1FnApd8p2gsx/RsC9DQ6Z3M57mrZpIp9N6MsAE9VAGQ/sthz+dkMkJlvT
         V1hEO26gjXPivGe14EFTb0h5q6kkgoWONQXG+gQQVWEzDk8Gq/eT7Ilm9Fzh0V2PNb+n
         n5zB8ZRdiG8fx0i3oPVDPnNG9k3drOJG6dNdwbIhol+fjRhs6u8boLM1ZCFHGl7S2vKp
         3AyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=date:message-id:mime-version:reply-to:to:from:dkim-signature
         :subject:to:arc-authentication-results;
        bh=MrgLc4ve1ORJFuf0aopHaOcjRXDQ8YmXq9esgbjEKik=;
        b=rG9HE1d3/x5uB5d4PKk9IBG6YoQUltU4GksFoKgw849OU+sM4V5tJ13CuldShH8J9L
         yaOwnZC9W04AhhyzwBCQ3L2H9M4BNWX+ROo7VKakCyxL91aiZMlxB6XwrrK9T4xTJIYk
         OiAB9AzQawP49a/jdKD0rNZAAReOuRvfY/Mo8FzJ0rlAfbyNiu0z1CPLN6BqfE9Hf7n2
         a2QGMMmq+B9Vm5a8pmq7xvFROEpiDe2jUndpfTZB3NoVNYYdk5sBPL698dz+RCFFRhtt
         UnJWPUrFRcVPLbXrZrOMnhpXfaPiRE/P5UGFwahS0XsHpXvx2QHq02DSxe02jPrrWtt+
         957Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (no key) [email protected] header.s=dkimpr header.b=QuXBPFmZ;
       spf=pass (google.com: domain of [email protected] designates 110.120.130.140 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from ess007709 ([110.120.130.140])
        by mx.google.com with ESMTPS id h16-v6si13954889pgb.39.2018.07.09.02.37.47
        for <[email protected]>
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Mon, 09 Jul 2018 02:37:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 110.120.130.140 as permitted sender) client-ip=110.120.130.140;
Authentication-Results: mx.google.com;
       dkim=neutral (no key) [email protected] header.s=dkimpr header.b=QuXBPFmZ;
       spf=pass (google.com: domain of [email protected] designates 110.120.130.140 as permitted sender) [email protected]
Received: from www-data by ess007709 with local (Exim 4.80) (envelope-from <[email protected]>) id 1fcSDJ-0006Ij-CQ; Mon, 09 Jul 2018 02:12:09 -0700
To: [email protected]
Subject: Welcome to MYWEBSITE
X-PHP-Originating-Script: 1001:test.html
DKIM-Signature: v=1; a=rsa; q=dns/txt; l=586; s=dkimpr; t=1531127529; c=relaxed/simple; h=From:To:Subject; d=mydomain.com; [email protected]; z=From:=20"mydomain=20App"=20<[email protected]> |To:[email protected] |Subject:=20Welcome=20to=20MYWEBSITE; bh=f1SBFzroobq/J+Xp4b+3SEctGQ40Fdi61QLOr3b+Joc=; b=QuXBPFmZGPUazSutggKZHSFxhc7WyIeshmT+Le1i+0n1aYq8B9lDKV9kgw5JdIOBwJvNuyYqHQ0FVDy+gti+FkVujXkzOfrbay4RjZ1Ti0tijJdsWrkSwzlJp9HO9CIbzpo6rcvRG6JoO76lkdhc35lmCfmlCsTfopIvNlHSMK+RoWp87+QIFINyqM0phTT1atSIJQWnMcKSLS54fMqlMjNXEgyN/Q53ZUDM+qIHDCk5eQskP6rGvxsEGIHZK4IgnTqb4uIgNWZNFlNr0f5z7j8PlUSzOLZrGC1r78i9DFrT128z35dOXXA7NV6TaS56jE+/uhLB1f0qfYdjnj4jCw==
From: mydomain App <[email protected]>
To: [email protected]
Reply-To: [email protected]
Content-Type: text/html; charset=utf-8
MIME-Version: 1.0

I did have some issues publishing my DNS TXT since my DNS host (NameCheap) has a limitation of 255 chars per TXT DNS record, I did so by publishing a CNAME instead pointing to a different host and hosting the TEXT record with a different provider. I believe it is resolving OK since when I try to validate the TXT record with DMARC DKIM analysis tool, I get the following OK result: 

  v=DKIM1; k=rsa; g=*; s=email; h=sha256; t=s;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2M+BcNJ0iDiEvfEY3oZ33gSpO7sjt
LyiNuyHNjT2KU1QWKaM8mKbYtwXjKqrG1vp4gLAPcbBI2rl2yGsxqJ+ml0ULTHYpjuGF5bMT9jh
/Dt/3bTTps4hbBrZPoaL9f6xDHu6LGEKgnqLEF/z+tpUte56xCFxz/b8zTYLn6srpQBsBTORjzq
8pkmfYGLfVJgw0+zZTZjQL4UXDqd3jmj/go4HCeij1UGoMkgp4zWzzCrJDuWbfPOPikaqZmhZk+
Je5I60pHn6Dlhp3v6awdGTWLb+51L0Y0QieLt3yM62Z4TeVembyUI6sEB+hb7DByK5GbS44sJxu
+AbnUJ4U5dhWwIDAQAB;

I tried heaps of things to resolve my error:

  1. I tried to send k=rsa-sha256 instead of k=rsa, I got then a dkim=fail error (which at least shows that the DNS record is resolving?)
  2. I tried to remove the l=... variable (the length of the encrypted body) and ended up with a dkim=neutral (no key) error.
  3. I tried UTF encryption instead of base64 and also tried without binary packing - all failed.
  4. I tried to play with the TXT record and publish some other versions like with or without escape characters before the ; - got the same results.
  5. I tried to change the flag relaxed/relaxed to relaxed/simple (saw someone claiming it would work) - with no results.

ANY CLUES? I will appreciate any help! Cheers

3
gmailphpmailerdkim

3 Answers

0
votes

dkim=neutral (no key) sounds to me as if the receiver cannot properly retrieve and parse your DKIM record. This aligns with your observation of the limitation of 255 chars at namecheap. I have had similar issues.

The most easy fix is to generate and use a shorter DKIM key fitting this limitation. If I remember correctly, the DKIM community offers such generator. Otherwise you can try to use a different DNS provider which supports longer TXT records.

0
votes

You can break the long DKIM (public) record into multiple strings utilizing double quotes a space and another double quote.

Thus:

("part one" "part two" "etc")

0
votes

OK so after a year and a half, I managed to resolve the issue by resetting my server. Problem was that I was trying to sign my emails in the php level with php mail, which was using exim4. The resolution I got was by setting up postfix server as an outgoing mail server, as explained in this guide. It is a long guide of 12 pages but going step by step is making it work well.

Stack used is Linux debian, the DKIM and SPF would work regardless of which backend mail you use (php, python, node.js etc)