Adding an SPF record for CNAME record (external email)

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
We have a domain that is using an external Email SMTP service. We need to set up a CNAME record for the service so the outgoing email can be "branded" with the client domain. In addition, to comply with Email policies, we need to create an SPF record for that domain.

Although it is not a totally acceptable policy, it appears that it would be required for using external mail services like Microsoft, etc. Where the domain sending the email is local, but through an external domain.

It appears we can't create both...that is, if we create the SPF record, that is fine, but we fail mail domain checks because the domain doesn't resolve. If we set up the CNAME record, we get an error in the Zone editor:

Error: API failure: Zone is invalid: Line 58: smtp.ourdomain.com: CNAME and other data at /usr/local/cpanel/Cpanel/ZoneFile/LineEdit.pm line 390.

Is there an accepted use/procedure for doing this?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,681
1,053
313
cPanel Access Level
Root Administrator
Hey there!

but we fail mail domain checks because the domain doesn't resolve.
Can you get me more details on why it doesn't resolve? SPF is used to designate the IP addresses that are permitted senders for a domain, and you can setup multiple IPs. For example, you can have an SPF record that looks like this:

Code:
domain.com. 14400   IN      TXT     "v=spf1 ip4:1.2.3.4 +a +mx +ip4:2.3.4.5 +ip4:3.4.5.6 ~all"
and that is perfectly valid.

I'm not really sure where the CNAME comes into play. For a server where the website is hosted on one machine and the mail is hosted on another I would expect to see the following:

-A record points to the webserver
-MX record points to the mailserver
-SPF lists either just the mailserver or also includes the webserver as a possible sender
 

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
Again, the mail services are EXTERNAL to the website. Mail is sent through a relay, like SendGrid, ElasticEmail, Google, etc. These services have us set up a CNAME to reference their physical host name like "customer123.sendgrid.com", then we add an SPF record for our domain.

For example, we are ourdomain.com

Using mail.ourdomain.com as our sending server (this is NOT hosted on the cPanel server)

We have DNS records for:

mail.ourdomain.com. CNAME customer123.sendgrid.com

We now need an SPF record to tell the world that mail.ourdomain.com is allowed to send email. If we attempt to add a TXT record for this, the cPanel Zone editor gives us the error in the original post.

If I don't create the CNAME record, I can create the SPF TXT record, but then we get sometimes get SPF validation errors when sending email as "mail.ourdomain.com" because it can't resolve anywhere. The customer123.sendgrid.com in this example has several rotating IP addresses, so we can't just create a static IP entry for mail.ourdomain.com, etc.

So I guess I need to know if this is a bug in the cPanel Zoned editor that will not allow us to create a text record for a CNAME host record?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,681
1,053
313
cPanel Access Level
Root Administrator
Thanks for the clarification. We don't perform any validation on the CNAME data, so you could type in anything you want there as we don't make sure it resolves. It sounds more like there is a typo in the line.

Could you post a screenshot of exactly what you're trying to set up as the CNAME record so I can test that on my end?
 

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
To reproduce this, go to DNS Zone Manager, go to a domain, Manage

Add a CNAME record, any CNAME record. In our case it is an alias from mail.ourdomain.com to an external host, say mail.sendgrid.net

Now that you have a CNAME record for the host mail.ourdomain.com, try adding a TXT record for the same domain. In our example "v=spf1 ip4:111.111.111.111 +a +mx +include:_spf.sendgrid.net +include:_spf.google.com ~"

Actually the content doesn't matter, you can just put "test" or anything you like.

When you click "Save record" we get:

Error: API failure: Zone is invalid: Line 58: mail.ourdomain.com: CNAME and other data at /usr/local/cpanel/Cpanel/ZoneFile/LineEdit.pm line 390.

Note that you can reverse the process. For example, create a TXT record first. Then try and create a CNAME record for the same domain. It appears that the current cPanel zone manager thinks it is an error to have a TXT record reference a CNAME domain? We are allowed to do this "manually" if we edit the zone file, but zone manager won't work for that domain any longer with the same error as quoted above.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,681
1,053
313
cPanel Access Level
Root Administrator
On my system, when performing this work I get the following:

"Error: cnametest.hattmonkey.com. already has a CNAME record. You may not mix CNAME records with other records (TXT)."

Could you submit a ticket to our team so we could check this directly on your server?
 

Steini Petur

Well-Known Member
Apr 24, 2016
57
13
58
Iceland
cPanel Access Level
Root Administrator
We are having the exact same issue with one of our clients, adding a CNAME for his subdomain


the moment we hit save we get

Code:
 at /usr/local/cpanel/Cpanel/Admin/Base.pm line 808.
        Cpanel::Admin::Base::handle_untrapped_exception("Cpanel::Admin::Modules::Cpanel::zone", "Zone is invalid: Line 32: x: CNAME and "...) called at /usr/local/cpanel/Cpanel/AdminBin/Server/Backend.pm line 157
        Cpanel::AdminBin::Server::Backend::run_admin_module("perl_module", "Cpanel::Admin::Modules::Cpanel::zone", "uid", 3105, "args", ARRAY(0x35c72e0), "function", "MASS_EDIT", ...) called at /usr/local/cpanel/Cpanel/AdminBin/Server.pm line 222
        Cpanel::AdminBin::Server::_request_handler(Cpanel::AdminBin::Server=HASH(0x35c6ec0), HASH(0x35c72f8), undef) called at /usr/local/cpanel/Cpanel/AdminBin/Server.pm line 123
        Cpanel::AdminBin::Server::__ANON__() called at /usr/local/cpanel/Cpanel/Try.pm line 193
        eval {...} called at /usr/local/cpanel/Cpanel/Try.pm line 193
        Cpanel::Try::try(CODE(0x35c7010), "Cpanel::Exception::ProcessNotRunning", CODE(0x35c7088)) called at /usr/local/cpanel/Cpanel/AdminBin/Server.pm line 126
        Cpanel::AdminBin::Server::handle_cpwrapd_request(Cpanel::AdminBin::Server=HASH(0x35c6ec0), HASH(0x35c6d40)) called at /usr/local/cpanel/Cpanel/Server.pm line 2456
        Cpanel::Server::handle_cpwrapd_connection(Cpanel::Server=HASH(0x35bbe40)) called at cpsrvd.pl line 1866
        cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpwrapd_connection") called at cpsrvd.pl line 1119
        cpanel::cpsrvd::script() called at cpsrvd.pl line 440
Cpanel::Exception/(XID j9w82a) Zone is invalid: Line 33: x: CNAME and other data; Line 33: x: CNAME and other data at /usr/local/cpanel/Cpanel/ZoneFile/LineEdit.pm line 403.
        ...propagated at /usr/local/cpanel/Cpanel/Admin/Base.pm line 746.
I then tried directly from WHM and the same but there I get a better debug, since cPanel sends outs a vague "contact them to find out"

Error: API failure: Zone is invalid: Line 33: x: CNAME and other data; Line 33:x: CNAME and other data at /usr/local/cpanel/Cpanel/ZoneFile/LineEdit.pm line 403.

You are right though we have a TXT record and an A record as well, I had to remove both, I had tested just taking the A record, and i received the error, then took both out and I can then set the CNAME, the Manager doesn't allow TXT record and CNAME record of the same name.

x14400TXTv=spf1 +a +mx .......

Removing that record allows the CNAME to be set


Success: You successfully saved the following CNAME record for “x”: “y”.

Then I tried to put in the TXT record and I can't do that, the only way for me to achieve this is to

Code:
[[email protected] etc]# cd /var/named
[[email protected] named]# nano smart-proto*
[[email protected] named]# service named reload
Reloading named:                                           [  OK  ]
This must be an error @cPRex don't you think? There is not a violation of setting TXT records and CNAME records in a DNS file, only the manager thinks so.. It's violation if its A record and CNAME but not a TXT and CNAME, and I had to stick every record out of it for it to be pleased with the CNAME installation.

PS: It should be noted that now my client can not update any records, even adding a new subdomain wont work because the file is "corrupted" according to the Zone editor and needs the CNAME and TXT to be removed.
 
Last edited:

Metro2

Well-Known Member
May 24, 2006
537
77
178
USA
cPanel Access Level
Root Administrator
I'm not sure if this is relevant or helpful in the cases above, but I ran into basically the same thing a while ago (tried to add a TXT verification record to a CNAME like client.example.com) and I ended up reading somewhere that TXT records cannot be added to a CNAME that uses the same sub-URL. Now I wonder if that's actually true, or if this is a glitch.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,051
106
118
Houston, TX
cPanel Access Level
Root Administrator
I'm not sure if this is relevant or helpful in the cases above, but I ran into basically the same thing a while ago (tried to add a TXT verification record to a CNAME like client.example.com) and I ended up reading somewhere that TXT records cannot be added to a CNAME that uses the same sub-URL. Now I wonder if that's actually true, or if this is a glitch.
This is correct, TXT records cannot be added to a CNAME using the same sub-URL. The following article might help.

Can you use a CNAME record with other resource records on the same domain or subdomain