DKIM verification stuck — domainkey record format changed?

lanbin

lanbin

Member
Licensed customer
Affected version
2.3.9
Hi,

I'm having issues with DKIM verification.
As far as I remember, earlier the record used to look like xenforo._domainkey, but now when generating it just shows ._domainkey.
Previously the verification would pass in about 2 minutes, but now it's been over an hour and I'm still seeing this message:

"Attempting to verify your DNS record but it may take up to 24 hours for DNS changes to propagate. If it has been longer, you may need to verify your entries."
 

Attachments

  • DKIM.webp
    DKIM.webp
    34.6 KB · Views: 26
I've tried to set up DKIM recently as well with no luck. Several tries but no avail. It seems to be trickier than it should be, given that there are a bunch of threads from people having issues with it.

One thread that I found particularly useful is this one:

joshg

XF 2.3 Thread 'Why can't I get XF's DKIM to validate?'

This is driving me crazy.
I have openssl extension installed and enabled on my server, as per requirements
I go to ACP->Options->Email Options and click Enable for DKIM option.
I get this box... and enter my domain properly (actually, it prepopulates the domain properly in this box, and i leave it as is):

Xnip2025-01-08_10-56-37.webp

I click Proceed and get the popup with the info I need for the new TXT record to add to my server:
Xnip2025-01-08_10-58-55.webp

I follow the steps EXACTLY... I go to my cpanel at my host and access:
cpanel->Zone Editor->{my domain}->Manage:

I make a new TXT record with the values...

including this post with a hint that I wasn't able to try until now.

Others around the topic are i.e. these:

S

XF 2.3 Thread 'How to force dkim validation'

Is there a way to force XenForo to try DKIM validation after validation again instead of waiting 24 hours?

My Dime Is Up

XF 2.3 Thread 'Emails won't send'

Users have been reporting they aren't getting their OTP emails. After some DNS changes, the mail does send but will now always go to the spam folder. Using online email analyzers, it said that a DKIM record is invalid or not added at all, even though it is. I generated a DKIM in the email options of the Admin CP of XenForo and added it to our Cloudflare DNS records, and online DKIM checker tools say that "xenforo._domainkey" does return a valid DKIM, however when it comes to sending a test email, the DKIM signature is incorrect for some reason.

Here are the headers from the test email...
 
The DKIM issue still remains in XenForo version 2.3.10. Today, out of curiosity, I created a test forum: https://d2e5f7551ef1e29c.demo-xenforo.com/2310/admin.php
(You may log in as the administrator with the username admin and password admin). There, the system similarly generates ._domainkey instead of xenforo._domainkey. After that, I wait 24 hours and still receive the same error.

@Chris D
 

Attachments

  • DKIM.webp
    DKIM.webp
    33 KB · Views: 19
philmckrackon said:
Do you have access to your mail server? DKIM should be configurable there. I do not use the XF setting.
Click to expand...
Obviously it heavily depends what way of mailing one is using. If you use an external/seperate mail server for relaying there is no need for DKIM configuration within XF. If you use the built-in mailer you will have the need, if you want to use DKIM.
 
I use an external SMTP server managed by Amazon SES. I reported this to XenForo. They've informed me this morning that it's a known issue, and that it'll be addressed in the next released version after 2.3.10.
 
Fraize_Websleuths said:
I use an external SMTP server managed by Amazon SES. I reported this to XenForo. They've informed me this morning that it's a known issue, and that it'll be addressed in the next released version after 2.3.10.
Click to expand...
Why would you need to set up DKIM within XenForo if you are using an external smtp-server?
 
smallwheels said:
Why would you need to set up DKIM within XenForo if you are using an external smtp-server?
Click to expand...
It's a fair question. The honest reason is We migrated from a self-hosted server to a XenForo hosted server. We used to use the built-in mailer, and the DKIM were working just fine. We later moved to use Amazon SES and we started receiving complaints that our emails were being sent to folks' SPAM folders. Sometimes DKIM signatures would pass, but sometimes they would fail and I couldn't figure out why.

In case there was some weird errant PHP mailer code still sitting on the server somewhere, I thought I'd cover my bases. Probably a wild goose chase, but I wanted to cover all possibilities.
 
Fraize_Websleuths said:
Probably a wild goose chase
Click to expand...
Very. If you don't use the built in mailer (which is a binary setting: either you do or you don't) DKIM-sttings within XF are not used either. You possibly have a DKIM-settings-issue with your Amazon-mailer-setup but this has nothing to do with the topic of this thread.
 
smallwheels said:
If you don't use the built in mailer (which is a binary setting: either you do or you don't) DKIM-sttings within XF are not used either.
Click to expand...
This is not correct. XenForo will sign emails if DKIM is successfully enabled no matter which transport (mail(), SMTP, etc.) is used.
 
Kirby said:
XenForo will sign emails if DKIM is successfully enabled no matter which transport (mail(), SMTP, etc.) is used.
Click to expand...
:oops: Honestly? I am no DKIM expert but had assumed that DKIM would be a thing for a SMTP server and would be not used if XF acts as an SMTP client. Is this normal/expected behavior or rather misbehavior/a bug?
So if one uses XF as an SMPT client one should disable DKIM manually to avoid trouble? Or does it even have advantages when it is still turned on?
 
You assumed wrong :)

It would be technically perfectly fine (though uncommon and probably unwanted / unnecessary in most cases) if both XenForo and the MTA sign an email (using distinct selectors / keys).

Personally i'd always sign at MTA / SMTP server if possible. IMHO much easier/ reliable / performant than via PHP, but not every SMTP provider offers DKIM signing.
 
Back
Top Bottom