E-mail Return-Path, envelope and dkim domain are set to the root domain

[vlad.t]

Hi,

I have a VPS with CPanel on it and about 50 domains (all owned by me).
I'm having an issue with dkim/dmarc validation for e-mails sent by PHP. At the same time Webmail and SMTP clients don't have the problem.
The issue is that, regardless of what domain is sending the e-mails (ex. mysite.com), Exim sets the Return-Path, the envelope, and the DKIM signature on the root domain (ex. vps.myvpsdomain.com) and my CPanel username (ex. [email protected]). That makes the e-mail DMARC validation fail due to the fact that the DKIM is using a different domain than the domain used in the From header.

My setup:

PHP Version: 5.5.30
PHP 5 Handler: suphp

Apache suEXEC: on
Apache Ruid2: off
Apache MPM: prefork

The headers from an e-mail sent by php -> - Removed -

The headers from an e-mail sent by webmail -> - Removed -

 

[cPanelMichael]

Hello

Are you sending the emails directly through PHP, or are you using SMTP authentication in your PHP script. Please switch to SMTP authentication if you are not already doing so and see if the issue persists.

Thank you.

 

[rinkleton]

Out of curiosity, what is the reason to use SMTP over php mail? Other than the validation it does.

I have been manually setting the envelope to get both php mail and STMP to get SPF to pass and both seem to work. But I have a case where I want my bounce address to be different than the the envelope-from address. Maybe another question that needs answered is: how does cpanel decide which IP to use when 'send mail from an account's dedicated IP' is turned on?

Sorry to deviate from the original question, but I think the answers to these questions will help the original poster understand why DMARC is failing.

 

[vlad.t]

Hello

Are you sending the emails directly through PHP, or are you using SMTP authentication in your PHP script. Please switch to SMTP authentication if you are not already doing so and see if the issue persists.

Thank you.

Using SMTP to send the e-mails is ok, but that's not a solution as far as I can see as there is too much code that needs to be changed (as I said, I have about 50 domains, each with different code that needs to be changed to SMTP)
If there is no other option, I will just force the envelope per domain from php.ini

 

[rinkleton]

Vlad, are you sure that it is DKIM failing? I recently had DMARC failing because the 'from' address was an @yahoo.com address and they are very strict in their DMARC settings. What I found was it doesn't matter whether you use php mail or SMTP, but whatever you use you have to set BOTH the envelope-from and the from address to a domain that has a properly setup SPF record (by properly i mean the SPF record has to include the IP that account would use to send emails from). And in those cases you probably want to set a reply-to.

Example:
Return-Path: [email protected]
From: [email protected]
Reply-To: [email protected]

And 'yourdomain.com' sends emails from IP 1.2.3.4 and that IP is listed in yourdomain.com's SPF record.

----

Unfortunately if this is your situation, you will have to go through each of your account's code to make the changes. The reason being is that DMARC checks against the 'from' address. So just changing to SMTP or forcing envelope won't fix it. WHM has a setting that is supposed to rewrite the from to something that will validate, but I personally don't like the idea of setting this across the board for EVERYTHING... and it also doesn't add a reply-to. I'm about to bite the bullet and go back and update all of our old code.

 

[vlad.t]

What I found was it doesn't matter whether you use php mail or SMTP, but whatever you use you have to set BOTH the envelope-from and the from address to a domain that has a properly setup SPF record

That's not the case for me. It's just that the DKIM used on the sent e-mails are using the root domain.

Partial headers sent with PHP mail():

Return-Path: <my.cpanel.username@vps.myvpsdomain.com>
Received: from vps.myvpsdomain.com (vps.myvpsdomain.com. [111.111.111.111])
Received-SPF: pass (google.com: domain of my.cpanel.username@vps.myvpsdomain.com designates 111.111.111.111 as permitted sender) client-ip=111.111.111.111;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of my.cpanel.username@vps.myvpsdomain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom=my.cpanel.username@vps.myvpsdomain.com;
dkim=pass header.i=@vps.myvpsdomain.com;
dmarc=fail (p=NONE dis=NONE) header.from=mysite.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=vps.myvpsdomain.com; s=default; h=Date:Message-Id:From:Subject:To;
Received: from my.cpanel.username by vps.myvpsdomain.com with local (Exim 4.86)
(envelope-from <my.cpanel.username@vps.myvpsdomain.com>)
From: test@mysite.com
X-AntiAbuse: Primary Hostname - vps.myvpsdomain.com
X-AntiAbuse: Sender Address Domain - vps.myvpsdomain.com
X-Get-Message-Sender-Via: vps.myvpsdomain.com: authenticated_id: my.cpanel.username/from_h
X-Authenticated-Sender: vps.myvpsdomain.com: test@mysite.com

I also attached the full headers for both webmail sent emails (which uses SMTP) and mails sent with PHP mail() function. (I hope this time they won't get flagged)

 

[rinkleton]

DKIM and SPF are passing on both however DMARC is failing for PHP mail. This is because your 'From' header doesn't match your 'Return-Path' header. You can fix this 2 ways, both of which should work with PHP mail or SMTP.

1) Change your envelope from (Return-Path) to an address @mysite.com and make sure your 'From' is also @mysite.com
2) Change your 'From' to an address @vps.myvpsdomain.com and make 'Reply-To' what your from was.

Neither are the perfect solution because I'm guessing at some point you are or will be sending email on behalf of a person with a foreign email address and that will cause DMARC problems unless you set it up like one of the two options above and only put their address in the reply-to and not the from.

Changing to SMTP auth should cause the same results as option 1 as long as the account you are authenticating with is @mysite.com. However i understand how this will be a lot of work for your. I recommend option 1 because it should be a fairly easy change. Just make sure your 'From' is ALWAYS @mysite.com, and use 'Reply-To' when it should look like it's form a foreign email address.

 

[vlad.t]

Thanks rinkleton, I was hoping there was an option to do this automatically with EXIM or from WHM settings, so I won't have to change the code on every site.

 

[cPanelMichael]

Thanks rinkleton, I was hoping there was an option to do this automatically with EXIM or from WHM settings, so I won't have to change the code on every site.

Hello

The only available option related to this is found under the "Mail" tab in "WHM >> Service Configuration >> Exim Configuration Manager":

Set SMTP Sender: headers
(-f flag passed to sendmail) This will create “On behalf of” notices in Microsoft® Outlook, but it may also help track abuse of the mail system since recipients will see the SMTP login used to send each message.

Thank you.