Automatically create DMARC records for new accounts

swbrains

Well-Known Member
Sep 13, 2006
207
28
178
Is it possible to automatically create DMARC records for new accounts (like SPF)?
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
493
142
343
cPanel Access Level
DataCenter Provider
I'd think that would be next to impossible to do. You could default a policy, but without rua/ruf records you'd have no way of verifying the policy is working. rua/ruf records typically need a "mailto" in them and cPanel would have no idea how to set that.
 
  • Like
Reactions: A Hartonian

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,254
313
Houston

24hostuk

Registered
Feb 12, 2020
2
0
1
England
cPanel Access Level
Root Administrator
Hi,

I have been looking to do this via the use of a record in the zone file templates along the lines of:

_dmarc IN TXT "v=DMARC1; p=none; sp=none; fo=1; ri=86400; rua=mailto:[email protected]%domain%; ruf=mailto:[email protected]%domain%"

this seems to work for initial account creation however if the account domain is changed it only updates the rua=mailto and not the ruf=mailto and creates a new corrected copy of the record as well any suggestions on where I have gone wrong with this?

additionally to implement this I need a wwwpostacc hook I think? this needs to setup an email forwarder from [email protected]%domain% to [email protected] domain (this can be hard coded per server if needed rather than a variable) but I'm not a coder so struggling with this one any advice/help much appreciated.

I know this isn't a solution for all providers but this works fine for some of our servers and I would like to implement it where I can to provide this record and reduce email delivery issues.
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
493
142
343
cPanel Access Level
DataCenter Provider
I can't tell you how to fix the zone file template, but I'm curious how many people actually want DMARC reports emailed to them? For the customers we've set this up for they are using 3rd party services to parse/analyze the reports.
 

24hostuk

Registered
Feb 12, 2020
2
0
1
England
cPanel Access Level
Root Administrator
So I have thought about this a little more and a few amendments to my original proposition,

1: Would also need a hook file to create forwards for addon/alias domains
2: Rather than creating a forwarder to [email protected] domain could these reports be forwarded to the account default email address/catchall [email protected]$domain sort of thing?

This would allow addon domains and root domains to be sent to a mailbox the users can access and deal with or not as they wish also once the account is setup these forwarders can be amended/added to to give third parties access/copies of these emails to analyze the results. This would also allow for a script that could be implemented across multiple servers without editing in a hardcoded email address or pulling the email from the server contact details email and forcing the server admins to deal with all of these (hint hint cPanel can implement this as part of the whole system maybe?)

Additionally an option to purge these account default mailboxes of emails older than XX days to prevent disk usage creep would be nice. simple nightly cron might do this something like:

Code:
for user in `/bin/ls -A /var/cpanel/users` ; do find /home/$user/mail/cur/ -mtime +14 -exec rm -rf {} \; done

for user in `/bin/ls -A /var/cpanel/users` ; do find /home/$user/mail/new/ -mtime +14 -exec rm -rf {} \; done
(I need to check this code haven't tested yet but something like this) possibly have this as an option in tweak settings instead of just "system account" "fail" "black hole" have additional options under "system account" for "server wide" with number of days to retain for on a server wide setting or "user managed" to put this same option in the individual cPanel's for customers to decide the retention period themselves

I agree not many users actually WANT the reports or know what to do with them if they had them but they do want the DMARC in place for email delivery/spam prevention and this is the best option I have come up with so far for automating this setup on a server wide scale