1

We've recently been having some email delivery issues, so I find myself taking my first dive into the email server set-up world to make sure our emails are arriving as expected.

I ran mail-tester a few days back and it told me to add this DMARC entry:

v=DMARC1; p=none

I did so and now I'm getting this verification failure:

Your message failed the DMARC verification

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

The DMARC test failed but we didn't find any obvious reason why. If you recently modified your DNS, please wait a few hours and then test again.

DMARC DNS entry found for the domain _dmarc.example.com:

"v=DMARC1; p=none"

Verification details:

mail-tester.com; dkim=policy reason="signing key too small" (768-bit key; unprotected) header.d=example.com header.i=@example.com header.b=________; dkim-atps=neutral

mail-tester.com; dmarc=none header.from=example.com

mail-tester.com; dkim=policy reason="signing key too small" (768-bit key; unprotected) header.d=example.com header.i=@example.com header.b=________; dkim-atps=neutral

From Domain: example.com

DKIM Domain: example.com

Per this article, the header.b= tag "contains the first 8 bytes of the signature data", so I blanked out that data with ________. Not sure if that's necessary or not, but figured I'd err on the side of caution.

From the above, the only issue to fix that I can see is the signing key too small problem. I found two other DMARC failure questions without "any obvious reason why" like my own (see here and here), but neither of them included the signing key too small issue, so they don't appear to be on point.

Per this question, it seems the way to solve that is to use a 1024- or 2048-bit key, but I'm using Hostmonster and can't seem to find any way to do so. This question seems to cover a similar issue in an Exchange environment, but I'm not in an Exchange environment and not sure how to adapt that to my situation.

So how do you update to a 1024- or 2048-bit signing key? If this is done using TXT records in the DNS manager, how do you generate the keys?

Additionally, if there's some other obvious issue I'm missing here, please let me know; as noted above, I'm new at this.

Vincent
  • 111
  • 3
  • 1
    Which email server are you using? How have you configured DKIM signing? Also, `p=none` without a `rua=` address is pretty pointless, as it equals not having a DMARC record at all. – Esa Jokinen May 26 '20 at 07:24

1 Answers1

1

not all hosting providers, that offer share hosting, sign outbound emails with DKIM (or they sign with that funny short dummy key). I was personally facing that for Justhost and Hostmonster.

You probably have to get VPS from them in order to be able to setup DKIM private key - either via WHM/cPanel of via SSH / OpenDKIM.

The other option - you may consider changig your hosting provider to better one, with competing prices. e.g. to Contabo

Zonder
  • 84
  • 4