SOLVED Default settings for SPF on new domains

unco

Active Member
Jun 17, 2010
32
5
58
Southern Pines, NC
Hi -

I have been trying to figure out where I can change the default SPF settings for new domains. I made a typo, which I have to manually fix after a new account is added. That's not such a big problem, but if anyone clicks Email deliverability, they can apply the incorrect info, and that's not good.

I've edited the DNS zone templates with the correct info, but that's not where it's coming from. I'm stumped.

Beth
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,250
313
Houston
made a typo, which I have to manually fix after a new account is added.
What is the error, i.e., in what part of the SPF record? Most of this data is obtained automatically with a few exceptions. The SPF Include is one of these and is in WHM>>Server Configuration>>Tweak Settings
 

unco

Active Member
Jun 17, 2010
32
5
58
Southern Pines, NC
Hi - I finally remembered where the issue is presenting itself. When I modify an account or create a new one, at the bottom, there is this:


_ Enable DKIM on this account.

_ Enable SPF on this account.
(v=spf1 +a +mx +ip4:x.x.x.x include:something.com ~all)

I've been looking for the place to fix "something.com," which should be "spf.something.com."

If you can point me there, I would be grateful!

Thanks,
Beth
 

unco

Active Member
Jun 17, 2010
32
5
58
Southern Pines, NC
I think I may need to open a ticket with support. I went to each of the servers and the SPF Include Hosts settings are all set to none. Hmm. Thanks!
 

unco

Active Member
Jun 17, 2010
32
5
58
Southern Pines, NC
I wonder if it may have something to do with this setting, which is on by default?

Autodiscovery SPF include hosts from the smarthost route list​
The system will check each label in the smarthost route list for SPF entries and add an include entry to the SPF records. For example, if the smarthost routelist is set to "* outbound.example.tld" and an SPF record exists for "example.tld", the system adds an SPF include entry for all domains on the system with SPF enabled.​

I grepped for the errant hostname in /etc, but it doesn't show up anywhere. :(
 

unco

Active Member
Jun 17, 2010
32
5
58
Southern Pines, NC
For the whole server, I am using spamexperts outbound filtering (smarthost). There are some exceptions for folks that use services such as mailgun or sendgrid, etc.


Here's /etc/exim/conf.local

Code:
%RETRYBLOCK%
+secondarymx                    *                               F,4h,5m; G,16h,1h,1.5; F,4d,8h
*                               *                               F,2h,15m; G,16h,1h,1.5; F,4d,8h
@[email protected]
#Section: AUTH
#Smart Host Sending
sendbysmarthosts:
driver = plaintext
public_name = LOGIN
hide client_send = : ${extract{user}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}: ${extract{pass}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}
@[email protected]

[USER=193645]@config[/USER]@
hostlist selist = ${lookup dnsdb{>: a=delivery.antispamcloud.com}}
hostlist smart_hosts = lsearch;/etc/smarthosts
hostlist trustedmailhosts = +selist : lsearch;/etc/trustedmailhosts
chunking_advertise_hosts = ""
message_size_limit = 150M
openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]
#Section: PREROUTERS
#Smart Host Sending
sendbysmarthostsrouter:
driver = manualroute
domains = ! +local_domains
condition =  "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/exim_smarthosts}{$value}}}{}{false}{true}}"
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
headers_add = "${perl{mailtrapheaders}}"
transport = sendbysmarthoststransport
route_list = * ${extract{smtp}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}
@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

smarthost_dkim:
  driver = manualroute
  domains = !"+local_domains +smart_hosts"
  condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}"
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  headers_add = "${perl{mailtrapheaders}}"
  require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
  transport = remote_smtp_smart_dkim
  route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"
#  route_list = * "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"


smarthost_regular:
  driver = manualroute
  domains = !"+local_domains +smart_hosts"
  condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}"
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  headers_add = "${perl{mailtrapheaders}}"
  transport = remote_smtp_smart_regular
  route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"
#  route_list = * "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"


@[email protected]

@[email protected]

@[email protected]

#Section: TRANSPORTSTART
#Smart Host Sending
sendbysmarthoststransport:
driver = smtp
port = ${extract{port}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}
hosts_require_auth = $host_address
# hosts_require_tls = $host_address

remote_smtp_smart_dkim:
  driver = smtp
#hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
dkim_domain = $sender_address_domain
dkim_selector = default
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
dkim_canon = relaxed

remote_smtp_smart_regular:
  driver = smtp
#hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,250
313
Houston
I think you're very much right in your assumption with the Autodiscovery. Is the domain being added to the SPF include a domain you recognize? It's checking the routelist but yours isn't as straightforward as /etc/staticroutes

Code:
  route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"
Did you try something like:

Code:
grep -ir "domain.tld" /etc/
 

unco

Active Member
Jun 17, 2010
32
5
58
Southern Pines, NC
I contacted support on this issue. It has been resolved by turning off Autodiscovery SPF include hosts from the smarthost route list. Even though the actual hostname in question wasn't in there, it worked! We can mark this one solved.
 
  • Like
Reactions: cPanelLauren