TransIP DNS fails as API keeps reporting Unauthorized

Issues
1

Issue Description

I have a domain with TransIP and setup automatic DNS updates in Stalwart 0.16.6.

Stalwart has my username and the PEM-contents (including header and footer part) for the key pair created at the TransIP control panel.

It has full permissions and the IP whitelist is off.

However, for every record the API response keeps giving Unauthorized:

Failed to create DNS record for ua-auto-config.onderzone.nl.: Failed to create DNS record: Unauthorized; Failed to create DNS record for _ua-auto-config.onderzone.nl.: Failed to create DNS record: Unauthorized; Failed to create DNS record for autoconfig.onderzone.nl.: Failed to create DNS record: Unauthorized; …etc

Expected Behavior

Authorize with the TransIP API and correctly setup the DNS records

Actual Behavior

The API response is Unauthorized for every DNS record mutation.

Reproduction Steps

In TransIP:

  1. Turn on API access
  2. Create key pair
  3. Copy Private Key

In Stalwart:

  1. Create DNS Provider
  2. Server type: TransIP
  3. Username: my TransIP control panel username
  4. Private Key: paste contents from TransIP (including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
  5. Change domain name settings to use automatic DNS from this provier

Relevant Log Output

2026-05-20T10:55:03Z WARN Task failed during processing (task-manager.task-failed) id = 308268381920821248, details = “DnsManagement”, reason = "Failed to create DNS record for ua-auto-config.onderzone.nl.: Failed to create DNS record: Unauthorized; Failed to create DNS record for _ua-auto-config.onderzone.nl.: Failed to create DNS record: Unauthorized; Failed to create DNS record for autoconfig.onderzone.nl.: Failed to create DNS record: Unauthorized; Failed to create DNS record for autodiscover.onderzone.nl.: Failed to create DNS record: Unauthorized;

… etc

Stalwart Version

v0.16.6

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

Internal

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

2

Let me look into the TransIP DNS provider implementation to understand what might cause authentication failures.

The TransIP integration uses the dns-update crate under the hood. The “Unauthorized” error is coming directly from the TransIP API. Based on the source code, Stalwart passes your username and private_key_pem directly to the TransIP API authenticator. Here are the most common causes of this error:

Most likely causes and things to check:

  1. Key format – TransIP expects the private key in PKCS#8 PEM format (beginning with -----BEGIN PRIVATE KEY-----). If the key in your TransIP control panel is an RSA key (beginning with -----BEGIN RSA PRIVATE KEY-----), the API may reject it. Make sure you are copying the exact PEM text that TransIP generated, including the -----BEGIN...----- and -----END...----- header/footer lines.

  2. Whitelist mode vs. “all IPs” – You mentioned the IP whitelist is off, but double-check in the TransIP control panel that the API key is set to allow all IPs (not just a whitelist). Some accounts require explicit confirmation for this.

  3. API key permissions – Confirm the key has “Read/Write” permission in the TransIP control panel, not read-only. TransIP sometimes shows keys as active but with only read access.

  4. Username – The username field must be your TransIP login name (the one you use to log in to the control panel), not an email address or an account ID.

  5. Key expiry / one-time keys – TransIP allows creating one-time-use keys. If the key was already used once for authentication in testing, it may have been invalidated. Generate a fresh persistent key and paste it into Stalwart.

Since there is no specific TransIP troubleshooting section in the current Stalwart documentation, you may want to verify the integration works by testing the TransIP API directly (e.g., using their Postman collection or a quick curl test with the same credentials) to confirm whether the issue is on the TransIP side or in how Stalwart is passing the credentials.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.

3

Thank you, bot.

  1. Yes, I did this. Double checked for hidden spaces before and after.
  2. The key setting is ‘all ip’s’: on. Just to be sure, I’ve added the mailserver IP to the whitelist as well.
  3. TransIP does not provide this option, all keys have full access.
  4. That’s right, it is my login name
  5. Tried three times, no luck

@helpbot: also, the TransIP documentation states that you need to use the Key Pair to create an Access Token first, and then you can use the API. See TransIP API . Not sure if the Stalwart implementation takes care of this.

4

This has been fixed but could not be tested as we do not have an account with your DNS provider. If you are familiar with Rust (or have an LLM to help you) we suggest you try running a quick test using the dns-update crate (with the latest code from main).

5

Thank you for looking into this, I’ll just wait for the new Stalwart version. Or send me an email and i’ll share my credentials. There is a spare domain that is not in use.

6

Revolved in v0.16.7.

Will create a new ticket for another issue.