Author Topic: Postmark DKIM selector changes when SOA serial updates  (Read 293 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Postmark DKIM selector changes when SOA serial updates
« on: March 18, 2024, 11:09:18 PM »
I'm new to CWP and have migrated 13 of 50+ sites from cPanel/WHM so far and am seeing an issue on each of the sites. I'm using Postmark which involves adding a unique DKIM to each site's zone file. The DKIM selector is created by Postmark so I have no control over it. When I update the SOA record and its serial number increments, it also changes the Postmark DKIM serial. For example

- Original Postmark selector: 20240216030441pm._domainkey
- Original SOA serial: 2024031800
- Updated SOA serial: 2024031801
- Postmark selector after SOA update: 20240318010441pm._domainkey

So the first 10 digits of the PM selector change to match the new SOA serial, which breaks the PM service.

I'm seeing this on all of the new accounts and regardless of how different the selector and serial are from each other. The first 10 digits of the selector always change to match the serial. There should be no correspondence between the two numbers but I have a feeling that since they use a similar format, the code or configuration in CWP used to increment the serial is also applying to the PM selector.

It doesn't seem to matter whether I use DNS Functions > Edit Record or DNS Functions > Edit File. If I update the SOA, the PM selector will change as well. The only way around it is to edit all records manually using Edit File, including the SOA serial, but that only seems to work temporarily.

Thanks in advance for any help getting around this.

Offline
****
Re: Postmark DKIM selector changes when SOA serial updates
« Reply #1 on: March 19, 2024, 12:08:01 AM »
You should just have to create an additional DKIM, SPF for Postmark in the DNS that come from them.

e.g. postmark_domain TXT DKIM=(rest of DKIM)
Same for SPF.

If you try & change anything else, things will get messed up.

Here's a good article I found that guides you thru the DKIM & SPF records.
https://easydmarc.com/blog/postmark-spf-and-dkim-setup-step-by-step/
« Last Edit: March 19, 2024, 12:10:07 AM by Starburst »

Offline
*
Re: Postmark DKIM selector changes when SOA serial updates
« Reply #2 on: March 19, 2024, 12:47:24 AM »
Thank you for the reply. I am actually doing just as you say and as the blog post outlines. I've done many of these in cPanel. The issue is that something in CWP is changing the Postmark selector when updating the SOA.

I just migrated two sites and noticed that even when I add the Postmark DKIM record in DNS Functions > Edit Records, when I Save the record and check it in the table below, the selector is not the same as I pasted in. For example:

- Original PM selector pasted into new record: 20240109205755pm._domainkey
- After saving the new record: 20240319075755pm._domainkey
- Edit, Paste again, Save again: 20240319075755pm._domainkey

So it's not only when I Update SOA, merely adding and saving the PM DKIM record comes back with the wrong selector. And it's always related to the SOA serial number.

I can trick it by repasting the selector in DNS Functions > Edit File and saving after updating the SOA but obviously the SOA change is overwritten as well. If I make any changes to the DNS file later and the SOA is updated, the PM selector gets corrupted.

Offline
****
Re: Postmark DKIM selector changes when SOA serial updates
« Reply #3 on: March 19, 2024, 10:21:41 PM »
Try to edit & save the RAW DNS file, and not use the GUI.

You can get to the RAW BIND file via:

Admin Panel -> DNS Functions -> List DNS Zones -> (domain name) Edit File

After making your changes, click Save File, and Restart BIND.


Offline
*
Re: Postmark DKIM selector changes when SOA serial updates
« Reply #4 on: March 20, 2024, 01:58:45 AM »
Thank you for the reply but the last paragraph of my most recent post states that I've done exactly that. That's a way to get the PM selector to stick in the beginning. However, any changes whatsoever to the zone file later that necessitate an SOA update will change the PM selector again.