DKIM & Freeparking Issue

Forums › IT Pro and developers › DKIM & Freeparking Issue

Structure1183

4 posts

Wannabe Geek

#310592 4-Nov-2023 09:42

Trying to sort out email best practice for a club that I'm administrating.

Have set up both SPF and DMARC which can be verified fine on learndmarc.com

However I am having issues with DKIM as it seems like my emails that are web hosted via freeparking.com aren't actually getting signed.

And chatting with livechat and their phoneline seems to not really go anywhere as they verify that my public key has propagated and "made active"

But DKIM still fails to verify as the outgoing emails aren't getting signed by the private key and there is no option within the CPANEL for me to mark the emails to be DKIM signed.

Ideally I would want to move to metaname and cloudfare however I would also need to find another mailhost that's cheap to administrate as this is a university tramping club I'm helping out with and it's hard to justify paying over $500 for 15 email addresses when the webhosted emails are only $150 per annum.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41024

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3155707 4-Nov-2023 11:41

How did you create the DKIM key pair? Did they offer a tool for that?

If they don't have a tool for that or don't offer a way for you to load the private key, they their software likely doesn't support DKIM.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Structure1183

4 posts

Wannabe Geek

#3155743 4-Nov-2023 14:58

It's on their their website itself where you can randomly generate a key pair and it shows me the private key once

And lets me copy the public key to my DNS entries on wordpress which I've done and propagated.

But there is no option in their cpanel for me to insert the private key neither is there an option in roundcube their webclient.

The mail servers are managed by freeparking at mailx.freeparking.co.nz

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1859

#3155803 4-Nov-2023 15:14

DNS propagation is largely a myth. Either an old value is cached, in which case you may need to wait as long as the TTL for it to be refreshed, or the record previously didn't exist and this fact has been cached for a (hopefully short) period of time. As the public key isn't used for signing, the fact that one source is signed and another is not, rules out any DNS issue on the signing side and on the receiving side all things being equal (i.e. the same key and DNS data).

But there is no option in their cpanel for me to insert the private key neither is there an option in roundcube their webclient.

There isn't any need for you to actually know what it is unless you want to use the key elsewhere. DKIM signing is server-side in most cases.

You mentioned the messages weren't being signed. Have you checked this? There will be a DKIM-Signature header added if e-mail is being signed.

Structure1183

4 posts

Wannabe Geek

#3155865 4-Nov-2023 16:42

Yeap if I send a test email to myself and inspect the headers

Only SPF and DMARC is set up.

DKIM reports as X-Hosts-DKIM-Check: none

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1859

#3155868 4-Nov-2023 17:03

It would be best to look for a DKIM-Signature specifically, as X-Hosts-DKIM-Check isn't a standard header and it's unclear what "none" means.

DKIM-Signature: v=1; a=ed25519-sha256; t=1699069760;
s=ed25519; d=example.com;
h=Date:From:To:Message-ID:X-Mailer:Content-Type;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
b=MSbUwi81mHlGOFce3W02wkPaXyeFYRvYRNEiLCmAiLmpRHPpcv40dXD45w+LJtaVcrHj9jKmk0BI

The s= specifies the selector (selector._domainkey.yourdomain), and d= specifies the domain. If this header is absent, the e-mail definitely isn't being signed.

It's possible freeparking won't sign until they've verified the DNS record, which may take some time. Their documentation doesn't say you need to do anything further, but they do indicate 24-48 hours for third party DNS services. That may be less to do with third parties and more to do with how their system works. E.g. they may only run this verification once a day.

Structure1183

4 posts

Wannabe Geek

#3156123 5-Nov-2023 12:30

There isn't a DKIM signature header at the moment

smtp.mailfrom=redacted.org.nz; dkim=none (message not signed)

I might send them an email and see where it goes but doesn't seem really promising - the only benefit of staying with them is that email for 15 users is relatively cheap at 150NZD per year.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

res

22 posts

Geek
+1 received by user: 6

#3172683 17-Dec-2023 14:29

You shouldn't get me started on this one but you have.

Freeparking helpdesk appear to as thick as the proverbial two short planks. They have almost zero understanding of SMTP and zero of DKIM, DMARC etc.

I logged a helpdesk email with them around 27/28 November for this very issue.

After a bit of web research on what DKIM was, I had set it up as per Freeparking instructions at https://www.freeparking.co.nz/help/enable-dkim-for-your-domain

This included the DNS txt entry for the selector (signature entry).

And nothing happened. Viewing the source for a message sent to gmail, no DKIM selector signature header appeared.

So my helpdesk saga started and ran until 15 Dec. I'll try keep it short:
FP- you need to delete your DNS A record entry for mail.<mydomain> and your C records and your Mx record.
Me- no I don't, my email works fine, and this has nothing to do with your SMTP server not adding the DKIM selector header.

Repeat the above two lines about three times....... They also "fixed" my DMARC txt entry because I had it set to get reports they called email errors.

FP- I've checked with 2nd level support and your DNS entries are fine. You need to re-setup your client. Try using mailx.hosts.net.nz
Me- explain I tried that and mailx.freeparking.c.nz as well mail.<mydomain>. They all point at the same server IP, they all work, but your server is not adding the selector header.
FP- we tried making some test emails and they worked fine so there must be a problem in your client.
Me- I can send email fine too, this ticket was raised because your server isn't adding the DKIM slector header, not because I couldn't send email.
FP- our test emails worked fine so there must be a problem in your client.
Me- Tell FP you are completely useless. I made some more test emails (15 Dec) and now the selector header has appeared, yet FP helpdesk don't know that. Oh well, gmail is happy now.

My guess is they restarted some processes or servers and it came to life.

Any thoughts on an alternate hosting service?

res

22 posts

Geek
+1 received by user: 6

#3172735 17-Dec-2023 14:50

One odd thing though:

Gmail source for a received email from FP shows SPF, DKIM and DMARC as pass and the DKIM sig is there but there is still the line X-Hosts-DKIM-Check: none

Anyone know why/how that could be?

Cheers

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1859

#3172736 17-Dec-2023 14:54

res:

Gmail source for a received email from FP shows SPF, DKIM and DMARC as pass and the DKIM sig is there but there is still the line X-Hosts-DKIM-Check: none

Anyone know why/how that could be?

It's a proprietary header and therefore meaningless. At the time the header was added, there may have been no DKIM-Signature, or it could be completely broken. DKIM headers are meant to be trace headers, so if the DKIM-Signature is above this line, it was almost certainly signed after the header was added.