Best practice for DMARC if cPanel user has migrated DNS to Cloudflare

[eugenevdm.host]

See below screenshot below.

My client decided to migrate his DNS to Cloudflare and now he is having a world of trouble sending emails to `@gmail` users from his WooCommerce enabled WordPress site.

By using the menu "Show original" in Gmail we can indeed see there is a problem. DMARC is failing.

I'm completey overwhelmed by amount of options DMARC present - all I really want are some sane defaults.
It appears that WHM doesn't present default DMARC records, and when you use the add DMARC DNS you end up with this incredibly complex string:

v=DMARC1;p=none;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400

We are not even sure if this is the problem, but to alleviate the pain we copied the WHM generated SPF record and then also tried copying the WHM generated DKIM record to Cloudflare. Still no joy. Does anyone know what I can try next? Do I really have to study adkim, aspf, fo, ri and all that jazz, or is there a sane default for the +100 domains on my server?

 

[ITHKBO]

Have you tried using the dmarcian generator?

DMARC Record Wizard - dmarcian

dmarcian's DMARC Record Wizard allows you to create your DMARC Record for your domain so you can gain valuable insights.

dmarcian.com

We use the following tool developed by URIports to test settings in a way that customers also can follow it is also a handy tool to troubleshoot real connections.

Learn and Test DMARC

Learn and Test DMARC

www.learndmarc.com

Though studying DMARC, DKIM, DANE etc is highly recommended regardless.

 

[cPRex]

I would agree that reading about the DMARC settings is a good plan. I don't have them memorized (yet) but they control how a message gets handled after SPF and DKIM have been scanned. Cloudflare has some good documentation on this here:

https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/

Google's recommendation for that failure is to check the DMARC report:

Troubleshoot DMARC issues - Google Workspace Admin Help

Protect against spoofing & phishing, and help prevent messages from being marked as spamFollow the troubleshooting steps in this article if messages from your domain are: Failing DMARC Rejected

support.google.com

so that may be a good place to start.

 

[eugenevdm.host]

Thanks guys so much for the replies.

> Though studying DMARC, DKIM, DANE etc is highly recommended regardless
> agree that reading about the DMARC settings is a good plan

I don't think I am expressing myself properly in the context of the problem I am trying to solve. The facts are:

- WHM doesn't generate a DMARC record by default
- WHM generates SPF and DKIM by default
- The wizard recommended by @ITHKBO Dmarcian seems to be a paid service for the analysis of DMARC failures
- I have over 100 clients domains on my system and I need an universal, generic advice

I have written over 500 hosting articles and I'm sure with time I'll also become a DMARC expert.

What I am asking is this:

- What is best practice DMARC for a WHM server with 100 client domains? I can't run that wizard for a 100 domains.
- Does it seem valid to copy the DKIM and SPF "as is" to the Cloudflare DNS and then add some kind of "universal" DMARC record? Of do I really have to customize it specific for this client? Do I really have to analyze failures every time? For 100 clients?

Thanks again for responding, community support really means a lot to me.

 

[mtindor]

Use at least a default generic DMARC record (but only if your domains have SPF records and/or are DKIM signing)

"v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400"

DMARC should pass if SPF or DKIM signing pass. In your previous example though, SPF passed by DMARC didn't.

At any rate, don't publish DMARC records unless you are publishing valid SPF / DKIM records, if you want the best outcome.

 

[eugenevdm.host]

Hi @mtindor

Thank you so much. I have since also discovered How to configure a zone template so that newly added accounts and domains get a DMARC record in the WHM knowledgebase that specified this rule:

_dmarc IN TXT v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]

The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing.

Just to be clear:

> ...don't publish DMARC records unless you are publishing valid SPF / DKIM records...

Our system is at defaults.
By default WHM publishes SPF and DKIM records.
We migrated those to Cloudflare but got stuck on the DMARC.

Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there.

 

[Spirogg]

Hi @mtindor

Thank you so much. I have since also discovered How to configure a zone template so that newly added accounts and domains get a DMARC record in the WHM knowledgebase that specified this rule:

_dmarc IN TXT v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]

The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing.

Just to be clear:

> ...don't publish DMARC records unless you are publishing valid SPF / DKIM records...

Our system is at defaults.
By default WHM publishes SPF and DKIM records.
We migrated those to Cloudflare but got stuck on the DMARC.

Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there.

not sure if this may help you but I did a search about this on google and found this
shows some interesting information not sure if you saw this already or not.
some errors show up not sure how you would fix them but at least there is some insight on this page.

Check MX: There were some non-critical problems detected with this domain.

toolbox.googleapps.com

 

[RoseHosting]

By default, cPanel creates 'default' DKIM selector. It seems your domain healinglight.co.za DKIM is not working, hence DMARC fail.

 

[eugenevdm.host]

I am so greatful for all these replies which helped me persevere to fix the problem.

In the end it appears there were two problems.

1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address.

The client's reply-to address is [email protected] but WordPress defaults to [email protected]

Once I added this to `functions.php` DMARC started passing!

```php
class email_return_path {
function __construct() {
add_action( 'phpmailer_init', array( $this, 'fix' ) );
}

function fix( $phpmailer ) {
$phpmailer->Sender = $phpmailer->From;
}
}

new email_return_path();
```

@RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info.

2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import.

It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly.







thanks again for all the help.

 

[cPRex]

I'll make sure that article gets updated!

We also have this one that talks about creating the actual record, but it seems you were able to get this working: https://support.cpanel.net/hc/en-us/articles/360055638973-How-to-build-a-DMARC-record

 

[mtindor]

I am so greatful for all these replies which helped me persevere to fix the problem.

In the end it appears there were two problems.

1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address.

The client's reply-to address is [email protected] but WordPress defaults to [email protected]

Once I added this to `functions.php` DMARC started passing!

```php
class email_return_path {
function __construct() {
add_action( 'phpmailer_init', array( $this, 'fix' ) );
}

function fix( $phpmailer ) {
$phpmailer->Sender = $phpmailer->From;
}
}

new email_return_path();
```

@RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info.

2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import.

It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly.

View attachment 75689


View attachment 75693


thanks again for all the help.

Believe it or not, I was going to point both of those things out to you days ago. But I was not 100% sure that the envelope sender was being used (which would mean it wasn't being DKIM signed). I should have posted it anyway. I'm glad you were able to figure it out on your own and get things working!

Mike