Fixing DKIM records for a domain.

Today I was testing the DKIM record for a domain, and discovered that it was failing.  The DNS records are hosted on Cloudflare, and the emails are managed by multiple cPanel servers.  This domain has been moved around between servers, and I am thinking that’s why the public and private keys weren’t working correctly.

Below are the steps I have taken to have the DKIM working again:

  1. SSh’ed into the server this domain is hosted on, and ran #cat /var/cpanel/domain_keys/public/
  2. Copy and paste this Cloudflare.
  3. Now test it by sending an email to a gmail inbox, or to  If an email is sent to, a report will be returned in a few minutes time.
  4. For some strange reason, even with the correct public key updated on Cloudflare, the DKIM check was still failing.  So I had to run the following:
    #usr/local/cpanel/bin/dkim_keys_uninstall username
    #usr/local/cpanel/bin/dkim_keys_install username
    “username” is the username of the hosting account.
    Running these commands will refresh the DKIM public and private keys.
  5. Now, I will get the new public key from /var/cpanel/domain_keys/public/ and update the TXT record for default._domainkey on Cloudfare.
  6. Once done, I test it again by sending an email to and wait for the reply with the report.
  7. This time the DKIM check passes.  Now I will need to copy the private (/var/cpanel/domain_keys/private/ and public key to all servers which this domain uses to send outgoing SMTP.  Theoretically we can select up a different selector and add different DKIM key for each server, but it appears cPanel only uses the ‘default’ selector, so the only way to get all servers to pass the DKIM check will be to copy the private and public key to all servers.
  8. Finally, I test outgoing mail from all servers and make sure both DKIM and SPF records pass.  I will run more tests another day, and if I am confident enough, will set the DMARC record for this domain as well.