DKIM TXT record not verifying, therefore outgoing emails are being received in spam folder

Hi Cloudflare Community,

Since a few weeks, my emails sended out are being received in the spamboxes of email clients. I investigated this issue, were I came to the conclusion my DKIM txt record is not being validated, alltough it’s active and being seen by DKIM record lookups.

I went to my hostingprovider to look into this issue, but they are out of ideas and turned me to Cloudflare, since the issue must come from some sort of setting or being a resolving issue.

Does anybody had the same problem and figured out how to get the DKIM TXT record to properly validate?

Hope somebody can help me out!

Kind regards,
Joey

Can you post your domain name here so we could check out more?

Can you check if you have an TXT record for a SPF also?

How about a TXT record for a DMARC?

Usually, the best outcome combination is having SPF, DKIM and DMARC if possible.

Moreover, have you got an TXT or CNAME record for your DKIM value?

Kindly, can you check if your MX record is pointed to a hostname (A mail record) which is :grey: (DNS only) at your DNS tab of your domain at Cloudflare dashboard?

Or, if using a CNAME, make sure that CNAME record are set to :grey: (Click the :orange: cloud to change it).

Can you post the Cloudflare records you entered (you can hide /maskyour IP address on the screenshot due to privacy concerns)?

In case if needed, you can also check for the steps here:

Hi fritexvz,

Thanks for your quick reply.

The domain in question is joeyzo.nl. The DNS records contain all email verification and protection methods like SPF, DKIM and DMARC.

I have three DKIM TXT records, all for testing purposes. The MX record of the email is also set and points to the A record of the domain, which is not being proxied by Cloudflare.

In the attachtments you can find a screenshot of my DNS settings.

Thanks in advance.

Kind regards,

Joeyzo

From the screenshot above, I see two MX records.
I believe to make it “pass” for DKIM, you should keep the one that is MX joeyzo.nl and content is mail.joeyzo.nl and remove the MX 185.182.56.111 with content fallback.axc.eu.

Or do you use that one fallback?

Next one is about mail.joeyzo.nl, for which I got returnet Cloudflare Origin CA certificate:

Using this command openssl s_client -connect mail.joeyzo.nl:465 -crlf I also got the same result:

depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
1 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
---
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2886 bytes and written 432 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 71F4DA24BA83A8CD0F90A961BF0FEF5FC4084FC3D8F95C5DD808C9E41FAF7CF5
Session-ID-ctx:
Master-Key: 30A8BFF73CA39FDF59230A471875680609835CBB86642D66DE915C95948B7E5AA26F7AC232AF6FE6AC8555D849CC7A38
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1616276684
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
220 vserver265.axc.nl ESMTP Exim 4.94 Sat, 20 Mar 2021 22:44:44 +0100
quit
221 vserver265.axc.nl closing connection
closed

I am afraid the current situation is that this is only for sites behind the orange cloud.
It is self-signed (by Cloudflare). Meaning only for a web server proxied via Cloudflare and it is not going to work for a mail server.

SSL for e-mail
If you want to use an SSL for your e-mail, you would need to either purchase one or generate free Let’s Encrypt SSL certificate for your mail.joeyzo.nl hostname.
As you are already using Cloudflare Origin CA certificate for your domain joeyzo.nl and www.joeyzo.nl, but this one cannot cover the mail.joeyzo.nl (either if you added it).

The Reverse DNS lookup of 185.182.57.60 returns : vserver265.axc.nl
The “A” DNS lookup of vserver265.axc.nl returns : 185.182.57.60

No SSL for e-mail
Then you would need to configre your email server at your host/origin to not use an SSL certificate, just plain text (which really is not a recommendation) - you would achieve this by removing the ssl variables that point to Cloudflare CA origin certificate (for e-mail only, but keep it for your web server).

Moreover, as far as I got what you have, due to having a VPS server at axc.nl, that free Let’s Encrypt SSL certificate which you would generate, should contain both your VPS servers name (hostname) and your mail.joeyzo.nl hostname to make it work (it is possible to add up to 100 hostnames per an SSL certificate for Let’s Encrypt SSL certificate).

Next is going to be, you would need to configure your e-mail server at your host/origin. Do not know if you use Postfix and Dovecot combination or some other, but that one is related to your server, not Cloudflare.

Also to consider, for testing purpose, would be good to add an TXT record for SPF like:
TXT joeyzo.nl with content v=spf1 mx a ip4:185.182.57.60 a:mail.joeyzo.nl ?all

Good articles about how to properly setup your e-mail server can be found here:

You can manage to solve your issue by generating the Let’s Encrypt SSL certificate only for your mail.joeyzo.nl hostname and then link to it at your e-mail configuration file.

After it, test with SSL Checker).

If correctly generated and added to configuration file, you should be able to send and receive e-mails with SSL normally.

Hi fritexvz,

Thanks for your reply again!

I just deleted the fallback server, just to check if this can make any diffrence.

If I understand correctly, you’re saying my email server is not validation properly because SSL is only working for proxied ip’s (orange clouded). Therefore I should make another SSL certificate on my hosting platform (DirectAdmin), but this time only for the mail server (mail.joeyzo.nl). Then all my emails are protected by an SSL certificate and therefore DKIM will validate itself and will work again, correct?

If this is the case: I just checked with on DirectAdmin. But I’m afraid I’m not able to activate a second SSL certificate. So if I don’t want to purchase a SSL certificate, how would I be able to accomplish this?

Thanks again for your advise!

Kind regards,
Joeyzo

Hi JoeyZo,

For DKIM to work, it needs coordinate with the mail server. DKIM work like this:

  1. You have a pair of public/private key
  2. You wrote public key into [selector]._domainkey.yourdomain.com as a TXT record like what you have with k1, k2 and x in your screenshot
  3. Your mail server is configured to know which selector in should fetch the TXT record. So to make it work, double check in your mail server to see if you have correct selector.

To verify, use https://www.mail-tester.com/ to score your email and they will tell you what problem with your email.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.