The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

E-mail Return-Path, envelope and dkim domain are set to the root domain

Discussion in 'E-mail Discussions' started by vlad.t, Nov 5, 2015.

  1. vlad.t

    vlad.t Registered

    Joined:
    Nov 5, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bucharest
    cPanel Access Level:
    Root Administrator
    Hi,

    I have a VPS with CPanel on it and about 50 domains (all owned by me).
    I'm having an issue with dkim/dmarc validation for e-mails sent by PHP. At the same time Webmail and SMTP clients don't have the problem.
    The issue is that, regardless of what domain is sending the e-mails (ex. mysite.com), Exim sets the Return-Path, the envelope, and the DKIM signature on the root domain (ex. vps.myvpsdomain.com) and my CPanel username (ex. my.cpanel.username@vps.myvpsdomain.com). That makes the e-mail DMARC validation fail due to the fact that the DKIM is using a different domain than the domain used in the From header.

    My setup:
    The headers from an e-mail sent by php -> - Removed -

    The headers from an e-mail sent by webmail -> - Removed -
     
    #1 vlad.t, Nov 5, 2015
    Last edited by a moderator: Nov 5, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you sending the emails directly through PHP, or are you using SMTP authentication in your PHP script. Please switch to SMTP authentication if you are not already doing so and see if the issue persists.

    Thank you.
     
  3. rinkleton

    rinkleton Active Member

    Joined:
    Jul 16, 2015
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cleveland
    cPanel Access Level:
    Root Administrator
    Out of curiosity, what is the reason to use SMTP over php mail? Other than the validation it does.

    I have been manually setting the envelope to get both php mail and STMP to get SPF to pass and both seem to work. But I have a case where I want my bounce address to be different than the the envelope-from address. Maybe another question that needs answered is: how does cpanel decide which IP to use when 'send mail from an account's dedicated IP' is turned on?

    Sorry to deviate from the original question, but I think the answers to these questions will help the original poster understand why DMARC is failing.
     
  4. vlad.t

    vlad.t Registered

    Joined:
    Nov 5, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bucharest
    cPanel Access Level:
    Root Administrator
    Using SMTP to send the e-mails is ok, but that's not a solution as far as I can see as there is too much code that needs to be changed (as I said, I have about 50 domains, each with different code that needs to be changed to SMTP)
    If there is no other option, I will just force the envelope per domain from php.ini
     
  5. rinkleton

    rinkleton Active Member

    Joined:
    Jul 16, 2015
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cleveland
    cPanel Access Level:
    Root Administrator
    Vlad, are you sure that it is DKIM failing? I recently had DMARC failing because the 'from' address was an @yahoo.com address and they are very strict in their DMARC settings. What I found was it doesn't matter whether you use php mail or SMTP, but whatever you use you have to set BOTH the envelope-from and the from address to a domain that has a properly setup SPF record (by properly i mean the SPF record has to include the IP that account would use to send emails from). And in those cases you probably want to set a reply-to.

    Example:
    Return-Path: server@yourdomain.com
    From: sender@yourdomain.com
    Reply-To: someone@yahoo.com

    And 'yourdomain.com' sends emails from IP 1.2.3.4 and that IP is listed in yourdomain.com's SPF record.

    ----

    Unfortunately if this is your situation, you will have to go through each of your account's code to make the changes. The reason being is that DMARC checks against the 'from' address. So just changing to SMTP or forcing envelope won't fix it. WHM has a setting that is supposed to rewrite the from to something that will validate, but I personally don't like the idea of setting this across the board for EVERYTHING... and it also doesn't add a reply-to. I'm about to bite the bullet and go back and update all of our old code.
     
  6. vlad.t

    vlad.t Registered

    Joined:
    Nov 5, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bucharest
    cPanel Access Level:
    Root Administrator
    That's not the case for me. It's just that the DKIM used on the sent e-mails are using the root domain.

    Partial headers sent with PHP mail():

    I also attached the full headers for both webmail sent emails (which uses SMTP) and mails sent with PHP mail() function. (I hope this time they won't get flagged)
     

    Attached Files:

  7. rinkleton

    rinkleton Active Member

    Joined:
    Jul 16, 2015
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cleveland
    cPanel Access Level:
    Root Administrator
    DKIM and SPF are passing on both however DMARC is failing for PHP mail. This is because your 'From' header doesn't match your 'Return-Path' header. You can fix this 2 ways, both of which should work with PHP mail or SMTP.

    1) Change your envelope from (Return-Path) to an address @mysite.com and make sure your 'From' is also @mysite.com
    2) Change your 'From' to an address @vps.myvpsdomain.com and make 'Reply-To' what your from was.

    Neither are the perfect solution because I'm guessing at some point you are or will be sending email on behalf of a person with a foreign email address and that will cause DMARC problems unless you set it up like one of the two options above and only put their address in the reply-to and not the from.

    Changing to SMTP auth should cause the same results as option 1 as long as the account you are authenticating with is @mysite.com. However i understand how this will be a lot of work for your. I recommend option 1 because it should be a fairly easy change. Just make sure your 'From' is ALWAYS @mysite.com, and use 'Reply-To' when it should look like it's form a foreign email address.
     
  8. vlad.t

    vlad.t Registered

    Joined:
    Nov 5, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bucharest
    cPanel Access Level:
    Root Administrator
    Thanks rinkleton, I was hoping there was an option to do this automatically with EXIM or from WHM settings, so I won't have to change the code on every site.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The only available option related to this is found under the "Mail" tab in "WHM >> Service Configuration >> Exim Configuration Manager":

    Set SMTP Sender: headers
    (-f flag passed to sendmail) This will create “On behalf of” notices in Microsoft® Outlook, but it may also help track abuse of the mail system since recipients will see the SMTP login used to send each message.


    Thank you.
     
Loading...

Share This Page