Adding an SPF record for CNAME record (external email)

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
We have a domain that is using an external Email SMTP service. We need to set up a CNAME record for the service so the outgoing email can be "branded" with the client domain. In addition, to comply with Email policies, we need to create an SPF record for that domain.

Although it is not a totally acceptable policy, it appears that it would be required for using external mail services like Microsoft, etc. Where the domain sending the email is local, but through an external domain.

It appears we can't create both...that is, if we create the SPF record, that is fine, but we fail mail domain checks because the domain doesn't resolve. If we set up the CNAME record, we get an error in the Zone editor:

Error: API failure: Zone is invalid: Line 58: smtp.ourdomain.com: CNAME and other data at /usr/local/cpanel/Cpanel/ZoneFile/LineEdit.pm line 390.

Is there an accepted use/procedure for doing this?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,001
313
cPanel Access Level
Root Administrator
Hey there!

but we fail mail domain checks because the domain doesn't resolve.
Can you get me more details on why it doesn't resolve? SPF is used to designate the IP addresses that are permitted senders for a domain, and you can setup multiple IPs. For example, you can have an SPF record that looks like this:

Code:
domain.com. 14400   IN      TXT     "v=spf1 ip4:1.2.3.4 +a +mx +ip4:2.3.4.5 +ip4:3.4.5.6 ~all"
and that is perfectly valid.

I'm not really sure where the CNAME comes into play. For a server where the website is hosted on one machine and the mail is hosted on another I would expect to see the following:

-A record points to the webserver
-MX record points to the mailserver
-SPF lists either just the mailserver or also includes the webserver as a possible sender
 

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
Again, the mail services are EXTERNAL to the website. Mail is sent through a relay, like SendGrid, ElasticEmail, Google, etc. These services have us set up a CNAME to reference their physical host name like "customer123.sendgrid.com", then we add an SPF record for our domain.

For example, we are ourdomain.com

Using mail.ourdomain.com as our sending server (this is NOT hosted on the cPanel server)

We have DNS records for:

mail.ourdomain.com. CNAME customer123.sendgrid.com

We now need an SPF record to tell the world that mail.ourdomain.com is allowed to send email. If we attempt to add a TXT record for this, the cPanel Zone editor gives us the error in the original post.

If I don't create the CNAME record, I can create the SPF TXT record, but then we get sometimes get SPF validation errors when sending email as "mail.ourdomain.com" because it can't resolve anywhere. The customer123.sendgrid.com in this example has several rotating IP addresses, so we can't just create a static IP entry for mail.ourdomain.com, etc.

So I guess I need to know if this is a bug in the cPanel Zoned editor that will not allow us to create a text record for a CNAME host record?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,001
313
cPanel Access Level
Root Administrator
Thanks for the clarification. We don't perform any validation on the CNAME data, so you could type in anything you want there as we don't make sure it resolves. It sounds more like there is a typo in the line.

Could you post a screenshot of exactly what you're trying to set up as the CNAME record so I can test that on my end?
 

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
To reproduce this, go to DNS Zone Manager, go to a domain, Manage

Add a CNAME record, any CNAME record. In our case it is an alias from mail.ourdomain.com to an external host, say mail.sendgrid.net

Now that you have a CNAME record for the host mail.ourdomain.com, try adding a TXT record for the same domain. In our example "v=spf1 ip4:111.111.111.111 +a +mx +include:_spf.sendgrid.net +include:_spf.google.com ~"

Actually the content doesn't matter, you can just put "test" or anything you like.

When you click "Save record" we get:

Error: API failure: Zone is invalid: Line 58: mail.ourdomain.com: CNAME and other data at /usr/local/cpanel/Cpanel/ZoneFile/LineEdit.pm line 390.

Note that you can reverse the process. For example, create a TXT record first. Then try and create a CNAME record for the same domain. It appears that the current cPanel zone manager thinks it is an error to have a TXT record reference a CNAME domain? We are allowed to do this "manually" if we edit the zone file, but zone manager won't work for that domain any longer with the same error as quoted above.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,001
313
cPanel Access Level
Root Administrator
On my system, when performing this work I get the following:

"Error: cnametest.hattmonkey.com. already has a CNAME record. You may not mix CNAME records with other records (TXT)."

Could you submit a ticket to our team so we could check this directly on your server?