Hidden DKIM settings in GoDaddy Shared Hosting Email

The Problem

When I send emails out through GoDaddy’s shared web hosting and email server, the emails get signed with DKIM and fail DKIM checks on the recipients’ end. GoDaddy claims that they do not support DKIM, and they do not have it enabled, but why do the emails all get signed with DKIM? I’ve tried this with different setups through GoDaddy hosting through completely different accounts on their Ultimate and Deluxe hosting plans. Results are the same. DKIM appears to be enabled, but the configuration is disabled and nowhere to be found.

After hours of battle with GoDaddy’s live chat tech support, it turns out their knowledge of DKIM and email settings, in general, is very lacking. On top of that, there are hidden configurations that GoDaddy either doesn’t know about or chooses not to provide in regards to DKIM email signing.

I’ve talked to GoDaddy live chat three times in the same day, spanning over 6 hours to figure out why my emails are being signed with DKIM, even though there is no option available in cPanel. GoDaddy says they don’t support DKIM. So why are the emails being signed with DKIM on their servers?

It’s DNS… kind of. People say it’s always DNS, but this is my first being a network admin for many years.

GoDaddy has its own DNS portal under “Domains”. This is different than within cPanel. These GoDaddy Domains were set up properly. No DKIM records or anything.

The cPanel server apparently has its own DNS zone list. Now you might be thinking, sure! I’ll just open the cPanel web interface and check it out! However, in my case, there was nothing listed on the DNS page of cPanel other than an MX record. The rest are hidden.

So I wanted to do some digging – I enabled the cPanel API, and CURL’d my way into getting the DNS records from the cPanel configuration. (Remember, the cPanel has its own internal DNS records that are different than the GoDaddy Domains portal!) To my surprise, the list was completely different! Lo and behold, there were a bunch of DNS records that weren’t listed in any web interface GoDaddy had to offer! The “default._domainkey.{mydomainname}.com” was there! I copied this entry out to GoDaddy’s primary “Domains” DNS list and DKIM signatures worked and passed!

It seems that the cPanel mail configuration signs the emails with DKIM in its own internal configuration.

The Solution

Prerequisites

You will need to either SSH into your account, or use a Linux terminal with curl. Alternatively, without using curl you can probably use an app like Postman to get the information you need. I won’t go into much detail on how to use either of them here.

Create a cPanel API token

  1. Log into cPanel
  2. In cPanel, head to Manage API Tokens > + Create
  3. Give your token a name
  4. Save the API token string somewhere safe. We use this later.

Check if DKIM is enabled

Open up a linux terminal and run the following command. Replace the terms with ALL CAPS with your own information. This will show you whether DKIM is enabled on the cPanel server.

curl -H 'Authorization: cpanel CPANEL_USERNAME:API_TOKEN' 'https://YOUR_PRIMARY_DOMAIN.COM:2083/json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=get_email_signing'

# My output:
# {"cpanelresult":{"func":"get_email_signing","data":["dkim_available",1,"dkim",1],"event":{"result":1},"module":"Email","preevent":{"result":1},"postevent":{"result":1},"apiversion":2}}

# The `["dkim_available",1,"dkim",1]` means DKIM is available and enabled in cPanel.

Fetch the internal DNS records

Next, run the following command to list the current DNS records internal to cPanel. The result is a JSON string.

curl -H 'Authorization: cpanel CPANEL_USERNAME:API_TOKEN' 'https://YOUR_PRIMARY_DOMAIN.COM:2083/json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=DOMAIN_TO_LOOKUP.COM'

Within those results, you will find a record with name of default._domainkey.DOMAIN_TO_LOOKUP.COM.

Update your Public DNS record

Copy the string in the txtdata property of this object. The string would start with something like v=DKIM1; k=rsa; p=... This string should be a public TXT record, using the same record name (ie. default._domainkey). I won’t go into details on how to update your public DNS records for your domain here.

You will have to repeat these steps for all your domains on your account if you want emails to be signed properly.

Conclusion

Even though GoDaddy claims that they do not support or enable DKIM, this is somewhat untrue. I can only speculate as to the reasons they have it enabled but not support it. I’m thinking:

  • they want to upsell their premium email services,
  • having two separate DNS portals is just too complicated for them,
  • or they simply don’t know that their automatic cPanel deployments generate DKIM, and are unsure how to deal with it.

Nonetheless, their tech support doesn’t seem to know about any of this. One of them even tried to copy the DKIM signature from an email header and used it as the DNS TXT _domainkey record… Enough said.

Further Reading

There were a couple other things I’ve tried in addition to the instructions above. Checking out the cPanel API documentation is very helpful. However, it seems GoDaddy has restricted permissions on actually disabling DKIM through the API on the consumer side, but at least we can still extract the data out of it.

References to Unsolved Google Searches

4 Replies to “Hidden DKIM settings in GoDaddy Shared Hosting Email

  1. godaddy support told me DKIM is old and outdated, which is why they don’t support it. The rep assured me SPF was authenticating all email. They stated several times they were an “email expert” so this must be correct.

    1. I’ve called GoDaddy multiple times about this issue on different accounts. They “guarantee” that the DKIM is disabled on all accounts, yet emails coming out of their servers are still signed with DKIM, which fails on the recipient side.

  2. GoldDaddy has disabled DKIM headers now.(2022 Feb) the returned value will be [“dkim_available”,1,”dkim”,0]`, when I’m checking my mails sent out from cpanel’s email, they don’t have DKIM headers. Also, the “Email Deliverability” tool in the Cpanel is being disabled by Godaddy. which means we have no way to set up DKIM in our server. when I call curl … “cpanel_jsonapi_module=DKIMUI&cpanel_jsonapi_func=install” (insntall DKIM), it will just return “”error”:”You do not have the feature “emailauth”.”” Sadly, I felt like I’m being scammed that Godaddy’s cpanel is handicapped.

  3. This was a great post, but unfortunately on the server I’m on, as of May 2023, it doesn’t work. I saw Andy’s reply from a year ago, but I still get “dkim:1”. I can grab the contents of the TXT record, but GoDaddy doesn’t add the DKIM header to any outgoing emails. I poked around the API a bit and tried the “enable_dkim” option: ‘https://domain.com:2083/execute/EmailAuth/enable_dkim?domain=domain.com’ and the response is “You do not have the feature “emailauth”.

    On top of charging for SSL, it’s ridiculous that GoDaddy doesn’t allow us to set up DKIM in 2023. I think this will be the straw that finally gets the client to change hosts.

Leave a Reply to Jeff Cancel reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.