DKIM Issues

I’ve searched through the Community, but am not seeing “the” answer.

I’ve attempted to set up DKIM. My email provider gave me the correct DKIM code and I have input that code into TXT as such:

Type: TXT Name: actualdomainkey._domainkey Content: v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy05VPK7FINdJkXnAg4JB5olIadKbGCbIeKxk5qHAkW4MKfpJi/2CKaQdYpqxppjWarecCWBjgVS+T2YjHH6n3bQ7c1XSFdgsu7IbR+dY1iztDrqj85Vi/85uy0RQ+a9/QLzLqhgFy6oRbCrZ0e6trak02PaZjhkUOcRKizxvvlrQSxM7+GDGNFSj+efwQkZqwtgHyBr+2ol/dI9L0sDrVci3f/xUbSFR0LNwue1LAQqkcegHkRg2dq8DndsFvTPlhInrWBpqyoS5zyiSLtYq3x+htBB6kIvN0BRWLqRsZDp+tzKW1OoPrSYoCQX795Bfdw8jGsDeAOCYXprg9kN+twIDAQAB

I’ve contacted support, but am getting no response. My email host and I are at our wits end. What are we missing?

hey @lmengerink can you share your domain to verify the DKIM ?
You can verify it your self here -> https://www.mail-tester.com/spf-dkim-check

or you can run some local commands depends your OS (Google search it and you will find many)

Can you share the real selector value?

Also, you have two SPF records for your domain. You should only have one. Please check and update these so that there is only one SPF TXT record.

Updated the SPF. I presume you’re looking for this: 9d52c13a-42f4-11ea-b8ce-46294b4578d9._domainkey

SPF and DKIM are different things. It’s difficult to troubleshoot without being able to check the actual records, which means knowing the domain too. DKIM records are completely public (at least, they can be seen by anyone who receives an email from the domain in question).

The DNS records for that selector are in place and seem to be ok.

What is your email host actually saying is the problem?

If you send yourself an email and look at the headers, you will find a DKIM-Signature line. Can you share what the value of the s parameter? It should be the selector value.

The domain is parklakeadvisors.com.

Domain Key:
8f48ea0c-81cc-11e6-b304-cd4fa3e5478c._domainkey
Domain Signature:
v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGCjltfKIKmzhiMiMPXe/hgUEzfaoEx+87OtucpeZ0kajCfapuyGTmDuvonTy+ra5Fz+qjV6To1U/e9cp8FBfyZxx9/hc9E+jmBSXf1QGlwpe5srOSfQP85bkqSgRajSP/0b/ST6A4YVUo1LqgL3CKRK9ygflcKv4Xtr6G4OBtNwIDAQAB

Google and Mail-tester are showing the DKIM to be invalid.

I’m not seeing any record existing at all with that name. Take a look at the dig output to see the realtime information.

Obviously your details will vary, but this is what it should look like:

And for reference, dig output showing both your record and mine, for comparison. The dig links are based on live queries, if you make changes in Cloudflare’s dashboard you should see the changes if you refresh after about a minute.

could be his TTL? I can get a afrf;ri=86400;fo=1" while dig + short his _dmarc

There can be lots of things wrong here. More information is needed for any of us to help.

It might help to drop your DMARC policy to none while you work on resolving the issue.

Also, you have given two different selector values. Which is it?

Sorry, I received multiple at one point…it’s the first (9d52…)

My record looks just like this - with exception being TTL is set to Auto instead of 1 day.

Good eye. 9d52… has a valid record, 8f48 does not.

Dig output shows the record and mxtoolbox parses it and confirms the syntax is valid.

@lmengerink Any chance that maybe you used the new name, but the old key? Otherwise nothing looks off at the moment. It is possible that some tool is caching an old/missing record and returning a false error too.

The record that’s there appears to be correct. (This was updated early this week and the DNS cache purged.)

You should not really just change the active DKIM key when in use. There is a good process documented by the M3AAWG, but some major providers use two selectors and flip from one to the other when they need to rotate.

Do you send all email via a different provider to your incoming email? The format of the DKIM you posted looks like that from Red Tail Technology, but if you are sending through Smarsh.com (as in your SPF) their keys look very different.

Who is signing the email, and how did they give you the signing keys?
Can you share a DKIM-Signature header from a malfunctioning email?

% dig txt parklakeadvisors.com @bruce.ns.cloudflare.com. | grep spf
parklakeadvisors.com.	300	IN	TXT	"v=spf1 include:smarsh.com ~all"
parklakeadvisors.com.	300	IN	TXT	"v=spf1 ip4:65.74.131.96/27 ip4:65.74.153.192/27 ~all"

This appears to be the issue. While the email provider assured me that DKIM would work through Smarsh, it appears to be a limitation within Smarsh itself.

I appreciate all of the help.