Results 1 to 14 of 14

Thread: SPF and DKIM - validating incoming mail

  1. #1
    Registered Member
    Join Date
    Nov 2006
    Location
    GB
    Posts
    44

    Unhappy SPF and DKIM - validating incoming mail

    Apparently for outgoing mail these are both complete in the cPanel Exim build. Incoming mail verification lacks the functionality still.

    Is there any beta incoming functionality in EDGE or CURRENT yet? Do we have any ETA for being able to use either or both fully?

    The need becomes greater as places like Yahoo impose them on us by screwing up our users' email due to our inability to comply!

    Related to SPF there remains the outstanding matter of an SRS (rewriting) option, to allow continued use of forwarders to work. Loss of forwarders would be disastrous for us.
    --
    Wemail ServerAdmin
    (GB)

  2. #2
    cPanel Development cPanelKenneth's Avatar
    Join Date
    Apr 2006
    Posts
    4,286
    cPanel Access Level

    Root Administrator

    Default

    cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor. At this time the functionality is only available on Linux systems.

    The Exim RPM provided with cPanel 11.23 has SRS functionality as implemented by the Exim project, however it must be completely configured by the admin as we do not provide support for this. Documentation on Exim's implementation of SRS is found at http://wiki.exim.org/SRS

    There are no plans at this time to implement DomainKey or DKIM lookups on incoming mail.
    Last edited by cPanelKenneth; 07-21-2008 at 09:29 AM. Reason: added DKIM

  3. #3
    Registered Member
    Join Date
    Nov 2006
    Location
    GB
    Posts
    44

    Unhappy

    Quote Originally Posted by cpanelkenneth View Post
    ... The Exim RPM provided with cPanel 11.23 has SRS functionality as implemented by the Exim project, however it must be completely configured by the admin as we do not provide support for this. Documentation on Exim's implementation of SRS is found at http://wiki.exim.org/SRS
    Thanks.

    I got the impression from Alex Villegas some weeks ago that there might be some more cPanel guidance on how to configure SRS coming out in due course. The Wiki article is not very meaningful to me (it seems to omit some things) and one of my colleagues, who is more into Linux than me, has also not got it working yet.

    If somebody has got it working and is willing to share their config, it would be appreciated by many people, I suspect. Provided it is in English of course - I only found something in Brazilian Portuguese!
    --
    Wemail ServerAdmin
    (GB)

  4. #4
    Registered Member
    Join Date
    Feb 2005
    Posts
    263

    Default

    Quote Originally Posted by cpanelkenneth View Post
    cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor. At this time the functionality is only available on Linux systems.
    I'm running cpanel 11.24.5 on linux. In the Exim config editor the only SPF-related option I see is "Blacklist: SPF Checking" . Is that the one you mean? It's already enabled but in the user's cpanel I do not see a way to whitelist incoming domains for SPF.

    Thanks,
    Scot

  5. #5
    Technical Product Specialist cPanelDavidG's Avatar
    Join Date
    Nov 2006
    Location
    Houston, TX
    Posts
    11,289
    cPanel Access Level

    Root Administrator

    Default

    Quote Originally Posted by shacker23 View Post
    I'm running cpanel 11.24.5 on linux. In the Exim config editor the only SPF-related option I see is "Blacklist: SPF Checking" . Is that the one you mean? It's already enabled but in the user's cpanel I do not see a way to whitelist incoming domains for SPF.

    Thanks,
    Scot
    Keep in mind that RBLs are IP-based, not domain-based, so you would need to whitelist the entire IP rather than a specific domain.

    The option to whitelist IPs is only available to system administrators at this time. You can edit this whitelist by going to WHM -> Service Configuration -> Exim Configuration Editor and clicking the "Edit" button next to "Whitelist: IPs that should not be checked against RBLs."

  6. #6
    Registered Member
    Join Date
    Feb 2005
    Posts
    263

    Default

    Hmm, cpanelkenneth said above :

    cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor.
    To me that sounds like a true incoming SPF checking control, rather than merely whitelisting IPs. So does this mean that whitelisting of IPs is and will always be the only option for getting around SPF failure of incoming messages? Or that the feature isn't baked into WHM yet?

    Thanks.

  7. #7
    cPanel Development cPanelKenneth's Avatar
    Join Date
    Apr 2006
    Posts
    4,286
    cPanel Access Level

    Root Administrator

    Default

    Quote Originally Posted by shacker23 View Post
    Hmm, cpanelkenneth said above :



    To me that sounds like a true incoming SPF checking control, rather than merely whitelisting IPs.
    Correct. cPanel 11.23 introduced support for SPF checking on incoming email for Linux hosts.

    Quote Originally Posted by shacker23 View Post
    So does this mean that whitelisting of IPs is and will always be the only option for getting around SPF failure of incoming messages?
    What failures? Please provide examples.
    Kenneth
    Development
    cPanel, Inc.

  8. #8
    Registered Member
    Join Date
    Feb 2005
    Posts
    263

    Default

    Correct. cPanel 11.23 introduced support for SPF checking on incoming email for Linux hosts.
    Right, and my question again is *where* can I or my users configure that control?

    For example, a very high profile Wall Street Journal writer is trying to send email to one of my users. The author's mail is failing SPF checks, and my server is rejecting mail that fails SPF checks. I want the ability to whitelist either the sender or the host the sender is sending through to prevent his messages from being dropped. Is it really an all or nothing proposition with no whitelisting option, either in cpanel or WHM?

  9. #9
    Registered User
    Join Date
    Aug 2009
    Posts
    4

    Default

    I've moved hosting to a company using cPanel and I'm getting the same problems. Spam still gets through but so far no emails from my major client and my car insurer and business insurer both had had their emails bounced. BTW I checked my email worked from my googlemail so it's not a typo of mine.

    I'm now looking to move host again as it is just too unreliable not to have trustworthy email. It seems like spf on incoming email is not essential to cPanel so I could still use a a hosting using cPanel.

  10. #10
    cPanel Development cPanelKenneth's Avatar
    Join Date
    Apr 2006
    Posts
    4,286
    cPanel Access Level

    Root Administrator

    Default

    Performing SPF checks on incoming email is a global Exim configuration option. It is enabled via the following checkbox in the Exim Configuration interface in WHM:

    Blacklist: SPF Checking

    The only control given to the end user is the ability to configure the SPF record for his domain(s).
    Kenneth
    Development
    cPanel, Inc.

  11. #11
    BANNED
    Join Date
    Jun 2005
    Posts
    2,023

    Lightbulb

    Quote Originally Posted by malc_b View Post
    I've moved hosting to a company using cPanel and I'm getting the same problems. Spam still gets through but so far no emails from my major client and my car insurer and business insurer both had had their emails bounced. BTW I checked my email worked from my googlemail so it's not a typo of mine.

    I'm now looking to move host again as it is just too unreliable not to have trustworthy email. It seems like spf on incoming email is not essential to cPanel so I could still use a a hosting using cPanel.
    Oh good grief! Spam protection is a complex subject and like security is truly an art form in and of it's own right ...

    Generally, speaking there are a lot of different measures to take and different ways of implementing different technologies and different configurations in different places throughout your server that when combined together work to the common goal of providing you working spam protection without dropping legitimate mail.

    Most anyone can tinker around with options a bit and good a reasonably well working spam protection setup but you may still get some spam through or occasionally lose a legitimate piece of mail on accident.

    The real question here is experience and knowing the pitfalls and what you are doing which is where the "art form" comment comes in above.

    If you need help setting up a working spam solution, contact me.

    Otherwise, you probably want to enable SPF checking in Exim configuration in WHM and add SPF and DomainKey records using your Cpanel control panel for each domain you host, enable SpamAssassin (and configure) [OR] MailScanner and use the SMTP adjustments with CSF (preferred) [OR] the SMTP tweak in the security center in WHM. I would also use SuPHP for PHP and modify mail headers and logging in Exim to track sent messages better.

    Regarding forwards, I would stay away from any blind mail forwards that have Yahoo or AOL targets because both of their spam protection systems are broken and over-zealous and unable to tell the difference between legitimate forwarded mail and the original sender so they would flag your server as a spam sender if you receive spam and still flag you as a spam sender even if you don't forward any spam just based on the "number of messages" that get forwarded to Yahoo or AOL. Email sucks on both, I'd stay away from them!

  12. #12
    Registered Member mykkal's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta, Georgia, United States
    Posts
    119

    Default Re: SPF and DKIM - validating incoming mail

    DKIM isn't going anywhere at the moment. Take a look at this thread for details.
    Honestly it's been pushed back every version for many years now.

    Probably won't happen till DKIM is deprecated.

    http://forums.cpanel.net/f145/eta-11...tml#post716822

  13. #13
    Registered Member mykkal's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta, Georgia, United States
    Posts
    119

    Default Re: SPF and DKIM - validating incoming mail

    I talked with CPANEL on the phone a few months ago... (you guys called me) and assured me that you would have the ability to validate incoming DKIM signatures added.

    THIS IS IMPORTANT! That would go a very long way in stopping spam and spoofing!

    Honestly if you guys are just going to do what's easiest for you and not what we've demanded for HALF A DECADE then what do we need with Cpanel.

    Supply & Demand folks. If you won't meet our demands...how are you gonna sell your supply. The other control panels are now light years ahead of you. They also read these forums and have implemented steps to keep their customer base from being as angry as yours.

    Quote Originally Posted by cpanelkenneth View Post
    cPanel 11.23 provides support for checking SPF records on incoming mail. YOu must enable the option in the Exim Configuration Editor. At this time the functionality is only available on Linux systems.

    The Exim RPM provided with cPanel 11.23 has SRS functionality as implemented by the Exim project, however it must be completely configured by the admin as we do not provide support for this. Documentation on Exim's implementation of SRS is found at SRS - Exim Wiki

    There are no plans at this time to implement DomainKey or DKIM lookups on incoming mail.

  14. #14
    Registered Member nwtg's Avatar
    Join Date
    Dec 2010
    Location
    Portland, Oregon
    Posts
    34
    cPanel Access Level

    Root Administrator

    Thumbs up DKIM Implementation Planned 11.32 -- Question for the cPanel folks...?



    So, the newest update from cPanel about DKIM (http://forums.cpanel.net/f145/add-su...77940-p13.html) indicates that implementation of DKIM signature support is now underway for 11.32, and ditching DomainKeys.

    As you can see from the thread I posted on Christmas Day last year, (http://forums.cpanel.net/f5/dkim-sup...-a-181411.html) I tweaked Exim enough that I got DKIM signatures working successfully, so I know it's possible, but in doing so, my DomainKeys signatures stopped dead, and I was unable to run both methods of authentication. I'm not sure why, but I rolled back until DKIM was fully implemented by cPanel.

    I'm still left with some questions for the cPanel people:

    If you're dropping DK for DKIM, what process will we, as admins, need to follow, in order to convert our current clients from DK to DKIM? Will there be a script that wipes out the default._domainkey lines from the DNS zones and adjust the exim.conf accordingly? Seems like then we could just go in with a clean slate and enable DKIM as we did for DK.

    Of course, however it's deployed in EDGE 11.32, I'm going to test the hell out of it in my QA environment. I'd just like to know what to expect as far as converting current users' authentication methods from one to the other. The idea of changing each one manually exhausts me just thinking about it.

    Thanks for readin'.



Similar Threads

  1. Need help understanding DKIM / SPF
    By webmasteryoda in forum E-mail Discussions
    Replies: 4
    Last Post: 09-02-2013, 02:29 PM
  2. DKIM and SPF are not enabled
    By clinch in forum E-mail Discussions
    Replies: 5
    Last Post: 07-25-2013, 12:30 PM
  3. DKIM and SPF E-mail Authentication
    By markpickford in forum E-mail Discussions
    Replies: 6
    Last Post: 04-01-2013, 07:48 AM
  4. DKIM, SPF and MAIL.for new SUBDOMAINS
    By NemoXP in forum E-mail Discussions
    Replies: 3
    Last Post: 08-06-2012, 11:26 PM
  5. Replies: 1
    Last Post: 11-21-2011, 07:02 PM

Tags for this Thread

bargain