DKIM signing annoyances
Idea shared by echoDreamz - 12/15/2023 at 9:11 PM
Have a user trying to enable DKIM signing for their domain, our control panel automatically creates the DNS record for them on our public authoritative servers, the TXT record exists and is valid, but SM keeps saying it doesnt exist.

If I dig against our internal resolvers, they return back the valid TXT record, the same resolvers that SM is set to use, but SM keeps saying it does not exist. I have also validated the TXT record with MX Toolbox and it also agrees that the record is valid and it matches the one SM is stating is missing and to create.

Can I pretty please get a force parameter in the API (doesnt need to be on the UI), to tell SM to ignore lookups, especially when we are handling the DNS. This should be stupid easy to add a simple if statement around the DNS call to bypass it or not. This would allow customers like myself who have a control panel that automates all this to bypass SM checks since we know the record exists before we try and enable in SM.

I have tried flushing our internal resolvers and their cache, SM either has it's own cache that I dont see a way to clear or there is a bug.

I will literally give yall my first-born child, I will sell my soul to Tim... Having this parameter would solve one of or biggest issues with SM.

10 Replies

Reply to Thread
It has been awhile since I rolled over my key, but I think it tests an external DNS, probably Google, before declaring the new key usable.   I think that takes several minutes.
It took almost 2 hours.
Instead of an API flag to ignore lookups, I would think SmarterMail should fix lookups. Caching or whatever, taking 2 hours to resolve a DKIM key is very problematic.

The newest version of SmarterMail is said to have a whole new better DNS resolver.
Lookups should be allowed to be ignored, in our case, because we handle the creation and setup of the dns records, there is no need to perform any lookups. 

We are also on the latest build. 
A new DKIM key is not effective unless recipients can find the key in DNS.    The often quoted rule-of-thumb is that DNS entries can take up to 24 hours to propagate to the whole world.  (This estimate is probably excessive for most potential recipients, but the delay is real.)

The only correct way to do key rollover is to:
(a) create the new key pair and publish the new public key, while continuing to sign with the old key.
(b) wait 24 hours
(c) begin signing with the new private key.

Unfortunately, SM does not allow this sequence, because you cannot use a key pair generated externally, and you cannot generate a new key without disabling the old one.   As a result, you will have unsigned mail during the propagation delay, which is bad, and a powerful incentive to avoid key rollover.   I have been on record with them about this previously.  The changes in this release seem like a modest step in the right direction, but I agree that we still have a problem.
Tim Uzzanti Replied
Employee Post
I think your going to like the updates to DKIM in this weeks release.  

We still want to include a bit more after the holidays.  Andrea will be including some more details in this thread today or tomorrow.  
Tim Uzzanti CEO SmarterTools Inc. (877) 357-6278 www.smartertools.com
Thanks Tim for the update!

Build 8755 (Dec 21, 2023)

  • Added: A DKIM rollover method which allows DKIM to continue signing with the existing record while a new DKIM record propagates DNS.
Andrea Free Replied
Employee Post
Hi all, 

I wanted to let you know that we've made DKIM enhancements with the release of Build 8755 (December 21, 2023). We now offer a DKIM rollover method that allows DKIM to continue signing with the existing record while a new one is pending DNS propagation. 
If you click Begin Rollover, you'll be presented the new DKIM record that can be inserted in DNS. When you continue, you'll see two DKIM records on the card: one Active and one Pending. SmarterMail will do periodic DNS checks for up to 48 hours to see if the new DKIM record has been propagated. As soon as SmarterMail sees the new record, the Pending record will switch to Active, and SmarterMail will start using that for outgoing signatures. Domain Admins will receive a notification when the DKIM rollover is successful or if it has failed. 
We also included the ability to force the DKIM rollover, without waiting on the DNS verification. Just note that we don't recommend that you do this. Outbound DKIM signing can fail if the DKIM record was improperly inputted, or even if the recipient servers still have the old DKIM record cached.
Chris, I'd also like to make you aware that the API does include the ability to update the DKIM signature and force SmarterMail to start using it right away. You should have received an email / ticket with more information on how this can be achieved. 

Kind regards,
Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com
Hey @andrea
Is there a different knowledge base article for the latest build or is this one it (needs updated)?
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

Reply to Thread