Best practice for DMARC if cPanel user has migrated DNS to Cloudflare

eugenevdm.host

Well-Known Member
Oct 21, 2019
76
9
8
Cape Town
cPanel Access Level
DataCenter Provider
See below screenshot below.

My client decided to migrate his DNS to Cloudflare and now he is having a world of trouble sending emails to `@gmail` users from his WooCommerce enabled WordPress site.

By using the menu "Show original" in Gmail we can indeed see there is a problem. DMARC is failing.

I'm completey overwhelmed by amount of options DMARC present - all I really want are some sane defaults.
It appears that WHM doesn't present default DMARC records, and when you use the add DMARC DNS you end up with this incredibly complex string:

Code:
v=DMARC1;p=none;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400
We are not even sure if this is the problem, but to alleviate the pain we copied the WHM generated SPF record and then also tried copying the WHM generated DKIM record to Cloudflare. Still no joy. Does anyone know what I can try next? Do I really have to study adkim, aspf, fo, ri and all that jazz, or is there a sane default for the +100 domains on my server?

1644561737941.png
 

Attachments

Last edited by a moderator:

ITHKBO

Active Member
Jun 23, 2020
27
30
13
Netherlands
cPanel Access Level
Root Administrator
Have you tried using the dmarcian generator?

We use the following tool developed by URIports to test settings in a way that customers also can follow it is also a handy tool to troubleshoot real connections.

Though studying DMARC, DKIM, DANE etc is highly recommended regardless.
 
  • Like
Reactions: Avensen

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,481
1,966
363
cPanel Access Level
Root Administrator
I would agree that reading about the DMARC settings is a good plan. I don't have them memorized (yet) but they control how a message gets handled after SPF and DKIM have been scanned. Cloudflare has some good documentation on this here:


Google's recommendation for that failure is to check the DMARC report:


so that may be a good place to start.
 

eugenevdm.host

Well-Known Member
Oct 21, 2019
76
9
8
Cape Town
cPanel Access Level
DataCenter Provider
Thanks guys so much for the replies.

> Though studying DMARC, DKIM, DANE etc is highly recommended regardless
> agree that reading about the DMARC settings is a good plan

I don't think I am expressing myself properly in the context of the problem I am trying to solve. The facts are:

- WHM doesn't generate a DMARC record by default
- WHM generates SPF and DKIM by default
- The wizard recommended by @ITHKBO Dmarcian seems to be a paid service for the analysis of DMARC failures
- I have over 100 clients domains on my system and I need an universal, generic advice

I have written over 500 hosting articles and I'm sure with time I'll also become a DMARC expert.

What I am asking is this:

- What is best practice DMARC for a WHM server with 100 client domains? I can't run that wizard for a 100 domains.
- Does it seem valid to copy the DKIM and SPF "as is" to the Cloudflare DNS and then add some kind of "universal" DMARC record? Of do I really have to customize it specific for this client? Do I really have to analyze failures every time? For 100 clients?

Thanks again for responding, community support really means a lot to me.
 

mtindor

Well-Known Member
Sep 14, 2004
1,454
110
193
inside a catfish
cPanel Access Level
Root Administrator
Use at least a default generic DMARC record (but only if your domains have SPF records and/or are DKIM signing)

"v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400"

DMARC should pass if SPF or DKIM signing pass. In your previous example though, SPF passed by DMARC didn't.

At any rate, don't publish DMARC records unless you are publishing valid SPF / DKIM records, if you want the best outcome.
 

eugenevdm.host

Well-Known Member
Oct 21, 2019
76
9
8
Cape Town
cPanel Access Level
DataCenter Provider
Hi @mtindor

Thank you so much. I have since also discovered How to configure a zone template so that newly added accounts and domains get a DMARC record in the WHM knowledgebase that specified this rule:

_dmarc IN TXT v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]

The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing.

Just to be clear:

> ...don't publish DMARC records unless you are publishing valid SPF / DKIM records...

Our system is at defaults.
By default WHM publishes SPF and DKIM records.
We migrated those to Cloudflare but got stuck on the DMARC.

Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there.
 

Spirogg

Well-Known Member
Feb 21, 2018
700
160
43
chicago
cPanel Access Level
Root Administrator
Hi @mtindor

Thank you so much. I have since also discovered How to configure a zone template so that newly added accounts and domains get a DMARC record in the WHM knowledgebase that specified this rule:

_dmarc IN TXT v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]

The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing.

Just to be clear:

> ...don't publish DMARC records unless you are publishing valid SPF / DKIM records...

Our system is at defaults.
By default WHM publishes SPF and DKIM records.
We migrated those to Cloudflare but got stuck on the DMARC.

Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there.
not sure if this may help you but I did a search about this on google and found this
shows some interesting information not sure if you saw this already or not.
some errors show up not sure how you would fix them but at least there is some insight on this page.

 

RoseHosting

Active Member
PartnerNOC
Jan 3, 2003
36
10
158
By default, cPanel creates 'default' DKIM selector. It seems your domain healinglight.co.za DKIM is not working, hence DMARC fail.
 

eugenevdm.host

Well-Known Member
Oct 21, 2019
76
9
8
Cape Town
cPanel Access Level
DataCenter Provider
I am so greatful for all these replies which helped me persevere to fix the problem.

In the end it appears there were two problems.

1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address.

The client's reply-to address is [email protected] but WordPress defaults to [email protected]

Once I added this to `functions.php` DMARC started passing!

```php
class email_return_path {
function __construct() {
add_action( 'phpmailer_init', array( $this, 'fix' ) );
}

function fix( $phpmailer ) {
$phpmailer->Sender = $phpmailer->From;
}
}

new email_return_path();
```

@RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info.

2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import.

It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly.

1644833158260.png


1644833172458.png


thanks again for all the help.
 

mtindor

Well-Known Member
Sep 14, 2004
1,454
110
193
inside a catfish
cPanel Access Level
Root Administrator
I am so greatful for all these replies which helped me persevere to fix the problem.

In the end it appears there were two problems.

1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address.

The client's reply-to address is [email protected] but WordPress defaults to [email protected]

Once I added this to `functions.php` DMARC started passing!

```php
class email_return_path {
function __construct() {
add_action( 'phpmailer_init', array( $this, 'fix' ) );
}

function fix( $phpmailer ) {
$phpmailer->Sender = $phpmailer->From;
}
}

new email_return_path();
```

@RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info.

2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import.

It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly.

View attachment 75689


View attachment 75693


thanks again for all the help.
Believe it or not, I was going to point both of those things out to you days ago. But I was not 100% sure that the envelope sender was being used (which would mean it wasn't being DKIM signed). I should have posted it anyway. I'm glad you were able to figure it out on your own and get things working!

Mike