XF 2.3 Why can't I get XF's DKIM to validate?

joshg

joshg

Active member
This is driving me crazy.
I have openssl extension installed and enabled on my server, as per requirements
I go to ACP->Options->Email Options and click Enable for DKIM option.
I get this box... and enter my domain properly (actually, it prepopulates the domain properly in this box, and i leave it as is):

Xnip2025-01-08_10-56-37.webp

I click Proceed and get the popup with the info I need for the new TXT record to add to my server:
Xnip2025-01-08_10-58-55.webp

I follow the steps EXACTLY... I go to my cpanel at my host and access:
cpanel->Zone Editor->{my domain}->Manage:

I make a new TXT record with the values supplied by XF's dialog box, using copy and paste so it's exact. New record looks like this:
(part of key deliberately obscured)
Xnip2025-01-08_11-06-34.webp

I save that record, cPanel reports success saving it:
Xnip2025-01-08_11-10-07.webp

I go back to ACP->email options, and hit the confirm button on newly-generated keys data, and I get to a "Attempting to verify your DNS record..." status:
Xnip2025-01-08_11-11-10.webp

I wait like 2 days, and this it fails to validate.
Xnip2025-01-08_10-53-54.webp

The setup instructions seem so simple to follow, I think I'm doing it all right, and yet still it never validates. Tried like 10 times.
Any DKIM experts out there willing to give me any tips? I'm not super technical but can do what I need from cPanel in most cases.

Thank you!
 
Sort by date Sort by votes
joshg said:
Any DKIM experts out there willing to give me any tips? I'm not super technical but can do what I need from cPanel in most cases.
Click to expand...

The required TXT record xenforo._domainkey.kscapeowners.com does not exist on your nameservers
Code: 
cp1.privatesystems.net
cp2.privatesystems.net
cp3.privatesystems.net
cp4.privatesystems.net

Thats' all I can say, I don't know nor can find out why it does not exist - only you and / or your nameserver provider can answer that.
 
Last edited:
Upvote 0 Downvote
briansol said:
are you self-hosting your dns? if not, doing it in cpanel might not be the right place. do it at your domain registrar or cloudflare if you use it.
Click to expand...
thanks. I was told that since our nameservers are at our hosting provider, then that's where the TXT records on this needed to be. Our domain is hosted elsewhere... tried going there, but it told me, as expected, that I shouldn't be trying to edit records like this at their service since our nameservers are elsewhere.

So the whole process I'm descrbing above is at our forum hosting provider, which is where our nameservers are also.
 
Upvote 0 Downvote
briansol said:
Also, this tool was super helpful for me in testing:
www.learndmarc.com

Learn and test SPF, DKIM and DMARC

Visualize, analyze and improve your email authentication setup
www.learndmarc.com www.learndmarc.com
Click to expand...
wow, that is a VERY cool tool.

Ran it on my site, and it says my site passed every single check, including that the DKIM record is valid.
Xnip2025-01-08_14-17-18.webp
Not sure why @Kirby is showing it to not exist... I can see it and this tool can see it. Maybe was a DNS propagation delay?

Anyway, this is another thing that says my site's records are done properly, yet XF still says it doesn't see the record.
Super frustrating...

Really appreciate everyone's help. If anyone has another idea on why the check from XF is failing, would love to hear...
 
Upvote 0 Downvote
philmckrackon said:
Do you have access to WHM or just cPanel. In WHM you can view a correct DKIM key and copy it to your name servers.
Click to expand...
not sure what WHM is, nor if I have access to it. Probably not... i'm on a shared server, hosted at KnownHost.
They also keep telling me that my DKIM seems to be set up right, so the problem must be within the Xenforo setup somehow.
 
Upvote 0 Downvote
joshg said:
wow, that is a VERY cool tool.

Ran it on my site, and it says my site passed every single check, including that the DKIM record is valid.
View attachment 317163
Not sure why @Kirby is showing it to not exist... I can see it and this tool can see it. Maybe was a DNS propagation delay?

Anyway, this is another thing that says my site's records are done properly, yet XF still says it doesn't see the record.
Super frustrating...

Really appreciate everyone's help. If anyone has another idea on why the check from XF is failing, would love to hear...
Click to expand...
Great! If it passes the DKIM check then you do not need to do anything!
 
Upvote 0 Downvote
joshg said:
not sure what WHM is, nor if I have access to it. Probably not... i'm on a shared server, hosted at KnownHost.
They also keep telling me that my DKIM seems to be set up right, so the problem must be within the Xenforo setup somehow.
Click to expand...
It's not necessary to setup the XF DKIM as it is already configured correctly.
 
Upvote 0 Downvote
Doubt this is the issue, but i'm running PHP 8.2.26 rather than the current 8.3. I'm typically of the mind that if my site is running fine, not to mess with things like the PHP version until I have to. But any sense of if that could be the issue?
 
Upvote 0 Downvote
philmckrackon said:
It's not necessary to setup the XF DKIM as it is already configured correctly.
Click to expand...
No, when my forum sends emails out to members, I often get back rejections from some users' mail servers saying that they won't pass it through without DKIM and that there was no validated DKIM.

I thought I needed my adminCP to show that it IS finding the DKIM record that matches its expected key value, so all is fine. my ACP is NOT saying that... but every other tool out there is saying that my setup IS fine.
 
Upvote 0 Downvote
joshg said:
Not sure why @Kirby is showing it to not exist... I can see it and this tool can see it.
Click to expand...
Hmm, where do you see selector xenforo?

The screenshot only shows selector default (which indeed does exist).

joshg said:
Maybe was a DNS propagation delay?
Click to expand...
Maybe. Not sure what you did in the meantime but now a broken / truncated record seems to be served for xenforo

Code: 
v=DKIM1; k=rsa; h=sha256; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lirAThrfpntisFyh+EnZ7CGA83lfB65FjM2Mk3n1tOfibmnvzRnrTwPV/AyUVn0NGbyX/O00OEiqqH97r8pcoG66c3pv4B6zmP/3348mP30SSdST9TKVypJlGFgBZ0QlVjN9UQZX2qMMuDuMhUp+RyuXFBAFCGZlSCLL23f8djTlOOUg4

vs. working record for default

Code: 
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvA4EHE86cOwsrSa5g41FAbiiNIbQkDrMedUe112NSMm+vPhGVijIkvbZ/J4aaTr6oVv1e0wSHDgOnhTmz2Yxhg2jVh90JOUlTUbeE4hp9D0vjqFtvOKyKzG2m8ECjkvcxFgvftsUigL/s24ewd9WePCY/zNSMk0jmoyTln8lesZHxJfGPl+eAShT2Bl901TgqOh+9GASUQOLRYAXM0HVOn4dzaU4goqrSiKzocHlweDoL+DI6Scs0TRxUUJ36eEx6GeY3OP0wFsJnGC68T2UJD6y978yk3q+ra+XtbDfquJdLVhe6+k8pMcOTAaJBfYem+CJVnaFSDSaK/ArfHnbwIDAQAB;

joshg said:
but every other tool out there is saying that my setup IS fine.
Click to expand...
Did you try
https://easydmarc.com/tools/dkim-lookup?domain=kscapeowners.com&selector=xenforo

https://mxtoolbox.com/SuperTool.aspx?action=dkim:kscapeowners.com:xenforo&run=toolpage

?

Try that and if it fails you may want to triple-check that the record value is correct / complete.
 

Attachments

  • Screenshot_20250109_001020_Chrome.webp
    Screenshot_20250109_001020_Chrome.webp
    32.5 KB · Views: 2
Last edited:
Upvote 0 Downvote
THANK YOU all... i finally got it to work! The big clue was in that wonderful tool @Kirby recommended above: easydmarc.

In case others end up here with the same question, here's what fixed it for me:

Visiting the page https://easydmarc.com/tools/dkim-lookup?domain=kscapeowners.com&selector=xenforo with my domain and the selector=xenforo set right, it kept saying that my p record wasn't the full 2048 bits it should have been.
That led me to believe that I had to break the TXT record into 2 parts, like I see my hosting company did with my DEFAULT DKIM record was. I guess there's either a limit of like 256 characters in the cPanel interface to making these records, or an actual limit of 256 characters in the TXT record.
When I broke the big string that ACP->options->email options generated for me as my new DKIM record into two parts, and used cpanel to put in the first part and then used the "+ Add TXT string to this record" button, then pasted the 2nd half of the generated key in that box...
Xnip2025-01-08_22-46-56.webp

and saved the record THAT way,
then verified in cpanel that the combination of the two tXT strings looked right in the DNS record:
Xnip2025-01-08_22-40-48.webp

Then finally, XF ACP gave it the green light:
Xnip2025-01-08_22-39-12.webp


So ultimately, the problem is that XF ACP will generate a 2048-bit key, and it takes multiple TXT records at your nameserver DNS record to handle a 2048-bit key. Break it in half and you're golden.

Many of the other cool tools recommended here, like @briansol's awesome "learndmarc.com" and some others kept telling me my DKIM was coming back as valid because they were only looking at the default DKIM record... they didn't seem to have a way to put in a selector to validate an application-specific DKIM like Xenforo wanted... but that easydmarc page does let you do this. Thanks @Kirby!

Thanks, I learned so much from the helpful people here... and got my problem solved.

And yeah, @AndyB, I know that enabling this isn't strictly necessary... but the ADD in me still wanted to get it turned on and properly validated. :)
 
Last edited:
Upvote 0 Downvote
Great news that you got it working.

joshg said:
I guess there's either a limit of like 256 characters in the cPanel interface to making these records, or an actual limit of 256 characters in the TXT record.
Click to expand...
Yup, DNS RRs are limited to 255 octets (bytes, "characters")

RFC 1035: Domain names - implementation and specification

This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.
datatracker.ietf.org datatracker.ietf.org

Many user interfaces (like AutoDNS, Cloudflare, etc.) already handle this "behind the scenes" so you can just paste the value - seems like cPanel isn't that user friendly and you have to split the string manually.

Btw: It doesn't make much sense to scramble the key part in your screenshots, it's public anyway so everybody can (and has to in order to actually verify a DKIM signature) just query this from your DNS :)
 
Last edited:
Upvote 0 Downvote
Kirby said:
Btw: It doesn't make much sense to scramble the key part in your screenshots, it's public anyway so everybody can (and has in order to actually verify a DKIM signature) just query this from your DNS :)
Click to expand...
Ah... too funny.
I just don't know enough and didn't want to be one of those people who accidentally posted something that was not wise to post. But now i think about it, of course these DNS records are public... DOH!
🤦‍♂️
But maybe made some more experienced people like you laugh. i'm ok with that. :)
Thanks again!
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Dkf
  • Question Question
XF 2.2 Why can't I see the user's deleted threads from profile link?
Replies
2
Views
255
TPerry
TPerry
DragonByte Tech
XF 2.0 Easy way to validate "Custom Fields"?
Replies
2
Views
1K
DragonByte Tech
DragonByte Tech
jr777
  • Question Question
XF 2.0 Why can't I edit the Terms and rules page?
Replies
5
Views
1K
jr777
jr777
Jay Harper
  • Question Question
Why can't i buy this?
Replies
14
Views
3K
Slavik
Slavik
Diana
  • Question Question
Why can't I start a conversation?
Replies
9
Views
2K
Diana
Diana
Back
Top Bottom