SPF and DKIM - validating incoming mail

[wemail]

Apparently for outgoing mail these are both complete in the cPanel Exim build. Incoming mail verification lacks the functionality still.

Is there any beta incoming functionality in EDGE or CURRENT yet? Do we have any ETA for being able to use either or both fully?

The need becomes greater as places like Yahoo impose them on us by screwing up our users' email due to our inability to comply!

Related to SPF there remains the outstanding matter of an SRS (rewriting) option, to allow continued use of forwarders to work. Loss of forwarders would be disastrous for us.

[cPanelKenneth]

cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor. At this time the functionality is only available on Linux systems.

The Exim RPM provided with cPanel 11.23 has SRS functionality as implemented by the Exim project, however it must be completely configured by the admin as we do not provide support for this. Documentation on Exim's implementation of SRS is found at http://wiki.exim.org/SRS

There are no plans at this time to implement DomainKey or DKIM lookups on incoming mail.

[wemail]

... The Exim RPM provided with cPanel 11.23 has SRS functionality as implemented by the Exim project, however it must be completely configured by the admin as we do not provide support for this. Documentation on Exim's implementation of SRS is found at http://wiki.exim.org/SRS

Thanks.

I got the impression from Alex Villegas some weeks ago that there might be some more cPanel guidance on how to configure SRS coming out in due course. The Wiki article is not very meaningful to me (it seems to omit some things) and one of my colleagues, who is more into Linux than me, has also not got it working yet.

If somebody has got it working and is willing to share their config, it would be appreciated by many people, I suspect. Provided it is in English of course - I only found something in Brazilian Portuguese!

[shacker23]

cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor. At this time the functionality is only available on Linux systems.

I'm running cpanel 11.24.5 on linux. In the Exim config editor the only SPF-related option I see is "Blacklist: SPF Checking" . Is that the one you mean? It's already enabled but in the user's cpanel I do not see a way to whitelist incoming domains for SPF.

Thanks,
Scot

[cPanelDavidG]

I'm running cpanel 11.24.5 on linux. In the Exim config editor the only SPF-related option I see is "Blacklist: SPF Checking" . Is that the one you mean? It's already enabled but in the user's cpanel I do not see a way to whitelist incoming domains for SPF.

Thanks,
Scot

Keep in mind that RBLs are IP-based, not domain-based, so you would need to whitelist the entire IP rather than a specific domain.

The option to whitelist IPs is only available to system administrators at this time. You can edit this whitelist by going to WHM -> Service Configuration -> Exim Configuration Editor and clicking the "Edit" button next to "Whitelist: IPs that should not be checked against RBLs."

[shacker23]

Hmm, cpanelkenneth said above :

cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor.

To me that sounds like a true incoming SPF checking control, rather than merely whitelisting IPs. So does this mean that whitelisting of IPs is and will always be the only option for getting around SPF failure of incoming messages? Or that the feature isn't baked into WHM yet?

Thanks.

[cPanelKenneth]

Hmm, cpanelkenneth said above :



To me that sounds like a true incoming SPF checking control, rather than merely whitelisting IPs.

Correct. cPanel 11.23 introduced support for SPF checking on incoming email for Linux hosts.

So does this mean that whitelisting of IPs is and will always be the only option for getting around SPF failure of incoming messages?

What failures? Please provide examples.

[shacker23]

Correct. cPanel 11.23 introduced support for SPF checking on incoming email for Linux hosts.

Right, and my question again is *where* can I or my users configure that control?

For example, a very high profile Wall Street Journal writer is trying to send email to one of my users. The author's mail is failing SPF checks, and my server is rejecting mail that fails SPF checks. I want the ability to whitelist either the sender or the host the sender is sending through to prevent his messages from being dropped. Is it really an all or nothing proposition with no whitelisting option, either in cpanel or WHM?

[malc_b]

I've moved hosting to a company using cPanel and I'm getting the same problems. Spam still gets through but so far no emails from my major client and my car insurer and business insurer both had had their emails bounced. BTW I checked my email worked from my googlemail so it's not a typo of mine.

I'm now looking to move host again as it is just too unreliable not to have trustworthy email. It seems like spf on incoming email is not essential to cPanel so I could still use a a hosting using cPanel.

[cPanelKenneth]

Performing SPF checks on incoming email is a global Exim configuration option. It is enabled via the following checkbox in the Exim Configuration interface in WHM:

Blacklist: SPF Checking

The only control given to the end user is the ability to configure the SPF record for his domain(s).

[Spiral]

I've moved hosting to a company using cPanel and I'm getting the same problems. Spam still gets through but so far no emails from my major client and my car insurer and business insurer both had had their emails bounced. BTW I checked my email worked from my googlemail so it's not a typo of mine.

I'm now looking to move host again as it is just too unreliable not to have trustworthy email. It seems like spf on incoming email is not essential to cPanel so I could still use a a hosting using cPanel.

Oh good grief! Spam protection is a complex subject and like security is truly an art form in and of it's own right ...

Generally, speaking there are a lot of different measures to take and different ways of implementing different technologies and different configurations in different places throughout your server that when combined together work to the common goal of providing you working spam protection without dropping legitimate mail.

Most anyone can tinker around with options a bit and good a reasonably well working spam protection setup but you may still get some spam through or occasionally lose a legitimate piece of mail on accident.

The real question here is experience and knowing the pitfalls and what you are doing which is where the "art form" comment comes in above.

If you need help setting up a working spam solution, contact me.

Otherwise, you probably want to enable SPF checking in Exim configuration in WHM and add SPF and DomainKey records using your Cpanel control panel for each domain you host, enable SpamAssassin (and configure) [OR] MailScanner and use the SMTP adjustments with CSF (preferred) [OR] the SMTP tweak in the security center in WHM. I would also use SuPHP for PHP and modify mail headers and logging in Exim to track sent messages better.

Regarding forwards, I would stay away from any blind mail forwards that have Yahoo or AOL targets because both of their spam protection systems are broken and over-zealous and unable to tell the difference between legitimate forwarded mail and the original sender so they would flag your server as a spam sender if you receive spam and still flag you as a spam sender even if you don't forward any spam just based on the "number of messages" that get forwarded to Yahoo or AOL. Email sucks on both, I'd stay away from them!

[mykkal]

DKIM isn't going anywhere at the moment. Take a look at this thread for details.
Honestly it's been pushed back every version for many years now.

Probably won't happen till DKIM is deprecated.

http://forums.cpanel.net/f145/eta-11...tml#post716822

[mykkal]

I talked with CPANEL on the phone a few months ago... (you guys called me) and assured me that you would have the ability to validate incoming DKIM signatures added.

THIS IS IMPORTANT! That would go a very long way in stopping spam and spoofing!

Honestly if you guys are just going to do what's easiest for you and not what we've demanded for HALF A DECADE then what do we need with Cpanel.

Supply & Demand folks. If you won't meet our demands...how are you gonna sell your supply. The other control panels are now light years ahead of you. They also read these forums and have implemented steps to keep their customer base from being as angry as yours.

cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor. At this time the functionality is only available on Linux systems.

The Exim RPM provided with cPanel 11.23 has SRS functionality as implemented by the Exim project, however it must be completely configured by the admin as we do not provide support for this. Documentation on Exim's implementation of SRS is found at SRS - Exim Wiki

There are no plans at this time to implement DomainKey or DKIM lookups on incoming mail.

[nwtg]

So, the newest update from cPanel about DKIM (http://forums.cpanel.net/f145/add-su...77940-p13.html) indicates that implementation of DKIM signature support is now underway for 11.32, and ditching DomainKeys.

As you can see from the thread I posted on Christmas Day last year, (http://forums.cpanel.net/f5/dkim-sup...-a-181411.html) I tweaked Exim enough that I got DKIM signatures working successfully, so I know it's possible, but in doing so, my DomainKeys signatures stopped dead, and I was unable to run both methods of authentication. I'm not sure why, but I rolled back until DKIM was fully implemented by cPanel.

I'm still left with some questions for the cPanel people:

If you're dropping DK for DKIM, what process will we, as admins, need to follow, in order to convert our current clients from DK to DKIM? Will there be a script that wipes out the default._domainkey lines from the DNS zones and adjust the exim.conf accordingly? Seems like then we could just go in with a clean slate and enable DKIM as we did for DK.

Of course, however it's deployed in EDGE 11.32, I'm going to test the hell out of it in my QA environment. I'd just like to know what to expect as far as converting current users' authentication methods from one to the other. The idea of changing each one manually exhausts me just thinking about it.

Thanks for readin'.