Need help Setting up more than one DMARC record.

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hello,

I have a a few licenses for Office 365 Enterprise E3 and a few licenses for Windows 10 Enterprise E3.

I have personal domain, personal.com, where DMARC and the SPF records and setup properly and working.

Then I have my two business domains.
business.net
business.com

I use PowerDNS as my DNS server, with named as the backend. I'm having trouble setting up the proper records required by Microsoft on my VPS business domains.

This is what I have so far:
Code:
# business.net
business.net.        3600   IN  TXT   "v=spf1 +a +a:hostname.personal.com +mx +ip4:<personal.com IPv4 address> +ip4:<business IPv4 address> +ip6:<personal.com IPv6 address> +ip6:<business IPv6 address> include:spf.protection.outlook.com -all"
default._domainkey  14400   IN  TXT   "v=DKIM1; k=rsa; p=<my key>
selector1._domainkey 3600   IN  CNAME selector1-business-net._domainkey.business.onmicrosoft.com
selector2._domainkey 3600   IN  CNAME selector2-business-net._domainkey.business.onmicrosoft.com

# business.com
business.com.        3600   IN  TXT   "v=spf1 +a +a:hostname.personal.com +mx +ip4:<personal IPv4 address> +ip4:<business IPv4 address> +ip6:<personal.com IPv6 address> +ip6:<business IPv6 address> include:spf.protection.outlook.com -all"
default._domainkey  14400   IN  TXT   "v=DKIM1; k=rsa; p=<my key>
selector1._domainkey 3600   IN  CNAME selector1-business-com._domainkey.business.onmicrosoft.com
selector2._domainkey 3600   IN  CNAME selector2-business-com._domainkey.business.onmicrosoft.com

# personal.com
personal.com.       14400   IN  TXT   "v=spf1 +a +a:hostname.personal.com +mx +ip4:<personal IPv4 address> +ip4:<business IPv4 address> +ip6:<personal.com IPv6 address> +ip6:<business IPv6 address> include:spf.protection.outlook.com -all"
default._domainkey  14400   IN  TXT   "v=DKIM1; k=rsa; p=<my key>
_dmarc              14400   IN  TXT   "v=DMARC1; p=quarantine; sp=quarantine; adkim=r; aspf=r; pct=100; fo=1; rf=afrf; ri=86400; rua=mailto:[email protected]; ruf=mailto:[email protected]"
business.com and business.net share the same IPv4 and IPv6 address. personal.com has a seperate IPv4 and separate IPv6 address.

Does anyone know why this fails the DKIM test on the online Exchange 365 server? Every time I click Enable DKIM for either of the VPS domains, it says:
Code:
CNAME record does not exist for this config. Please publish the following
two CNAME records first.
 selector1-business-com._domainkey.business.onmicrosoft.com
 selector2-business-com._domainkey.business.onmicrosoft.com
From reading, I'm supposed to have two CNAME records, selector1-business-com._domainkey and selector2-business-com._domainkey

Not sure what I'm doing wrong here....I was wondering if it had something to do with me already have it setup for the domain? Maybe I need to change the default._domainkey to the actual name of the domain?

Or perhaps I need to add the selector1 and selector2 _domainkey's for both business.net and business.com to personal.com's named zone because they're all hosted on the same physical VPS? And it's hostname.personal.com that's sending the messages and has the reverse DNS pointer records.

I'm also a little worried about cPanel / WHM messing with these. I know I won't be able to use the Zone Editor, but I couldn't find away to properly add them and keep it nicely formatted without manually editing them. I've had a manually edited one for personal.com for a long time now with no issues, because I like it looking pretty, that's all.

Any help would be greatly appreciated.

Thank you.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,257
313
Houston
Hi @Spork Schivago

So ultimately if I'm reading this correctly the issue is with the DKIM not the DMARC (though I understand the end goal is having DMARC enabled)

Are you sure you're entering the CNAME records correctly? per their documentation it should be something like:

Code:
 Host name: selector1._domainkey.contoso.com
 Points to: selector1-contoso-com._domainkey.contoso.onmicrosoft.com

 Host name: selector2._domainkey.contoso.com
 Points to: selector2-contoso-com._domainkey.contoso.onmicrosoft.com

You're adding:

Code:
selector1._domainkey 3600   IN  CNAME selector1-business-com._domainkey.business.onmicrosoft.com
selector2._domainkey 3600   IN  CNAME selector2-business-com._domainkey.business.onmicrosoft.com
If you format the record as follows (for both the business.net and business.com domains 4 records total):

Code:
selector1._domainkey.domain.tld 3600   IN   CNAME selector1-domain-tld._domainkey.domain.onmicrosoft.com
selector2._domainkey.domain.tld 3600   IN   CNAME selector2-domain-tld._domainkey.domain.onmicrosoft.com
(Just writing out the full host in the dns record )

Do you get the same error?
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Sorry for the long delay. I had no idea how much was involved in setting up a new business. I am so tired, but still have so much left to do before I can just work on my invention.

Yes, the end goal is with DKIM. I just been living on four hours of sleep a night for so long now, trying to do everything, I just wasn't thinking clearly. I apologize for that.

I have updated the DNS records and the Microsoft Portal stuff is being extremely slow right now, so I have to be patient to see if it'll work, but as soon as I get into the Exchange Admin Center, I'll try enabling DKIM
 
Last edited:

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Still fails, same message as before. I replaced tld with .com and .net, where applicable. The Exchange Admin page lists the domains as capital letters (just two of them, the way I spell it), and I've been putting them like that, do you think that's the issue?

Or do you think having the default._domainkey in there could be causing issues?
 
Last edited:

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I tried sending you a PM, where I was going to include the entire zone files. I can email them to you, if you PM me your email address, or I can give you temporary SSH shell access to my VPS so you can examine them yourself. Here's the relevant code for both of them (I'm using PowerDNS with named as a backend). There's only one
Code:
;mybusiness.net.db
selector1._domainkey.MyBusiness.net.         3600   IN  CNAME               selector1-MyBusiness-net._domainkey.MyBusiness.onmicrosoft.com
selector2._domainkey.MyBusiness.net.         3600   IN  CNAME               selector2-MyBusiness-net._domainkey.MyBusiness.onmicrosoft.com

;mybusiness.com.db
selector1._domainkey.MyBusiness.com.         3600   IN  CNAME               selector1-MyBusiness-com._domainkey.MyBusiness.onmicrosoft.com
selector2._domainkey.MyBusiness.com.         3600   IN  CNAME               selector2-MyBusiness-com._domainkey.MyBusiness.onmicrosoft.com
Only personal.com has a _dmarc TXT record.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
For what it's worth, Network Tools: DNS,IP,Email seems to find selector1 and selector2 just fine for both domains....

I wonder if I have to do something with the A) the firewall (iptables), B) ConfigServer Firewall C) named.conf / pdns.conf

I click the enable DKIM on the Exchange Admin page and then look at dmesg, where I see firewall traffic, but I don't see anything from Microsoft trying to connect. Just someone who's been trying to get in for a few weeks. Same mac address, trying the same ports for a long time, then changing them a little. I believe that's why I had to restart my server earlier, when I got the message saying a program ran out of memory. CSF (Config Server Firewall) keeps a list of all the hits, and he's been blocked soooooooo many times, it just ate up all my memory I bet. Gonna see if I can find a way to block by mac address.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,257
313
Houston
Hi @Spork Schivago

Did the PM not work? Also for the zone files, if you change them to all lower case is the result at Office365 different? Per what their requirements are I don't see any issue with the CNAME records added