I'm using the application with IIS on Windows Server 2012 R2 but I get the following error for every mail :
[Error] - BeginSignHash - Invalid provider type specified.
NativeErrorCode: -2146893804 DKIM Begin Sign Hash

I'm using a .pfx file with a 1024-bit RSA key.

Instead of using a .pfx file it would also be a good idea to allow the selection of a certificate which is already present in the local machine certificate store? This is also more secure since the certificate password doesn't have to be stored and the certificate can be imported into the store with the "allow export" option set to false.

Update: An additional error is logged when I select sha256 instead of sha1:
[Error] - BeginSignHash - Invalid provider type specified.
NativeErrorCode: -2146893804 SHA256 is not supported; Try SHA1 Now

The problem is most likely coming from a call to
CryptAcquireContextW(&context, 0, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)
which fails and the last error is: NTE_BAD_PROV_TYPE (-2146893804) which is then reported.

Maybe you want to use BCrypt (BCryptCreateHash et al) on Windows Vista+ instead:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376217 (v=vs.85).aspx

Hi, Euclid


That is because the pfx was generated by CNG (Cryptography API: Next Generation), current version doesn't support this pfx type.

Current solution is: creating pfx file by DKIM Manager.
We are working on the CNG and machine key storage, once it is done, we will release a new version.

Thank you very much.