Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Need help Setting up more than one DMARC record.

Discussion in 'Bind/DNS/Nameserver' started by Spork Schivago, Apr 29, 2018.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a a few licenses for Office 365 Enterprise E3 and a few licenses for Windows 10 Enterprise E3.

    I have personal domain, personal.com, where DMARC and the SPF records and setup properly and working.

    Then I have my two business domains.
    business.net
    business.com

    I use PowerDNS as my DNS server, with named as the backend. I'm having trouble setting up the proper records required by Microsoft on my VPS business domains.

    This is what I have so far:
    Code:
    # business.net
    business.net.        3600   IN  TXT   "v=spf1 +a +a:hostname.personal.com +mx +ip4:<personal.com IPv4 address> +ip4:<business IPv4 address> +ip6:<personal.com IPv6 address> +ip6:<business IPv6 address> include:spf.protection.outlook.com -all"
    default._domainkey  14400   IN  TXT   "v=DKIM1; k=rsa; p=<my key>
    selector1._domainkey 3600   IN  CNAME selector1-business-net._domainkey.business.onmicrosoft.com
    selector2._domainkey 3600   IN  CNAME selector2-business-net._domainkey.business.onmicrosoft.com
    
    # business.com
    business.com.        3600   IN  TXT   "v=spf1 +a +a:hostname.personal.com +mx +ip4:<personal IPv4 address> +ip4:<business IPv4 address> +ip6:<personal.com IPv6 address> +ip6:<business IPv6 address> include:spf.protection.outlook.com -all"
    default._domainkey  14400   IN  TXT   "v=DKIM1; k=rsa; p=<my key>
    selector1._domainkey 3600   IN  CNAME selector1-business-com._domainkey.business.onmicrosoft.com
    selector2._domainkey 3600   IN  CNAME selector2-business-com._domainkey.business.onmicrosoft.com
    
    # personal.com
    personal.com.       14400   IN  TXT   "v=spf1 +a +a:hostname.personal.com +mx +ip4:<personal IPv4 address> +ip4:<business IPv4 address> +ip6:<personal.com IPv6 address> +ip6:<business IPv6 address> include:spf.protection.outlook.com -all"
    default._domainkey  14400   IN  TXT   "v=DKIM1; k=rsa; p=<my key>
    _dmarc              14400   IN  TXT   "v=DMARC1; p=quarantine; sp=quarantine; adkim=r; aspf=r; pct=100; fo=1; rf=afrf; ri=86400; rua=mailto:email@business.net; ruf=mailto:email@business.net"
    
    business.com and business.net share the same IPv4 and IPv6 address. personal.com has a seperate IPv4 and separate IPv6 address.

    Does anyone know why this fails the DKIM test on the online Exchange 365 server? Every time I click Enable DKIM for either of the VPS domains, it says:
    Code:
    CNAME record does not exist for this config. Please publish the following
    two CNAME records first.
     selector1-business-com._domainkey.business.onmicrosoft.com
     selector2-business-com._domainkey.business.onmicrosoft.com
    
    From reading, I'm supposed to have two CNAME records, selector1-business-com._domainkey and selector2-business-com._domainkey

    Not sure what I'm doing wrong here....I was wondering if it had something to do with me already have it setup for the domain? Maybe I need to change the default._domainkey to the actual name of the domain?

    Or perhaps I need to add the selector1 and selector2 _domainkey's for both business.net and business.com to personal.com's named zone because they're all hosted on the same physical VPS? And it's hostname.personal.com that's sending the messages and has the reverse DNS pointer records.

    I'm also a little worried about cPanel / WHM messing with these. I know I won't be able to use the Zone Editor, but I couldn't find away to properly add them and keep it nicely formatted without manually editing them. I've had a manually edited one for personal.com for a long time now with no issues, because I like it looking pretty, that's all.

    Any help would be greatly appreciated.

    Thank you.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Spork Schivago

    So ultimately if I'm reading this correctly the issue is with the DKIM not the DMARC (though I understand the end goal is having DMARC enabled)

    Are you sure you're entering the CNAME records correctly? per their documentation it should be something like:

    Code:
     Host name: selector1._domainkey.contoso.com
     Points to: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
    
     Host name: selector2._domainkey.contoso.com
     Points to: selector2-contoso-com._domainkey.contoso.onmicrosoft.com

    You're adding:

    Code:
    selector1._domainkey 3600   IN  CNAME selector1-business-com._domainkey.business.onmicrosoft.com
    selector2._domainkey 3600   IN  CNAME selector2-business-com._domainkey.business.onmicrosoft.com
    If you format the record as follows (for both the business.net and business.com domains 4 records total):

    Code:
    selector1._domainkey.domain.tld 3600   IN   CNAME selector1-domain-tld._domainkey.domain.onmicrosoft.com
    selector2._domainkey.domain.tld 3600   IN   CNAME selector2-domain-tld._domainkey.domain.onmicrosoft.com
    (Just writing out the full host in the dns record )

    Do you get the same error?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Sorry for the long delay. I had no idea how much was involved in setting up a new business. I am so tired, but still have so much left to do before I can just work on my invention.

    Yes, the end goal is with DKIM. I just been living on four hours of sleep a night for so long now, trying to do everything, I just wasn't thinking clearly. I apologize for that.

    I have updated the DNS records and the Microsoft Portal stuff is being extremely slow right now, so I have to be patient to see if it'll work, but as soon as I get into the Exchange Admin Center, I'll try enabling DKIM
     
    #3 Spork Schivago, May 3, 2018
    Last edited: May 3, 2018
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Still fails, same message as before. I replaced tld with .com and .net, where applicable. The Exchange Admin page lists the domains as capital letters (just two of them, the way I spell it), and I've been putting them like that, do you think that's the issue?

    Or do you think having the default._domainkey in there could be causing issues?
     
    #4 Spork Schivago, May 3, 2018
    Last edited: May 3, 2018
  5. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Spork Schivago

    Can you show me the relevant DNS entries you have without including the actual domain name?

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I tried sending you a PM, where I was going to include the entire zone files. I can email them to you, if you PM me your email address, or I can give you temporary SSH shell access to my VPS so you can examine them yourself. Here's the relevant code for both of them (I'm using PowerDNS with named as a backend). There's only one
    Code:
    ;mybusiness.net.db
    selector1._domainkey.MyBusiness.net.         3600   IN  CNAME               selector1-MyBusiness-net._domainkey.MyBusiness.onmicrosoft.com
    selector2._domainkey.MyBusiness.net.         3600   IN  CNAME               selector2-MyBusiness-net._domainkey.MyBusiness.onmicrosoft.com
    
    ;mybusiness.com.db
    selector1._domainkey.MyBusiness.com.         3600   IN  CNAME               selector1-MyBusiness-com._domainkey.MyBusiness.onmicrosoft.com
    selector2._domainkey.MyBusiness.com.         3600   IN  CNAME               selector2-MyBusiness-com._domainkey.MyBusiness.onmicrosoft.com
    
    Only personal.com has a _dmarc TXT record.
     
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    For what it's worth, Network Tools: DNS,IP,Email seems to find selector1 and selector2 just fine for both domains....

    I wonder if I have to do something with the A) the firewall (iptables), B) ConfigServer Firewall C) named.conf / pdns.conf

    I click the enable DKIM on the Exchange Admin page and then look at dmesg, where I see firewall traffic, but I don't see anything from Microsoft trying to connect. Just someone who's been trying to get in for a few weeks. Same mac address, trying the same ports for a long time, then changing them a little. I believe that's why I had to restart my server earlier, when I got the message saying a program ran out of memory. CSF (Config Server Firewall) keeps a list of all the hits, and he's been blocked soooooooo many times, it just ate up all my memory I bet. Gonna see if I can find a way to block by mac address.
     
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,804
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Spork Schivago

    Did the PM not work? Also for the zone files, if you change them to all lower case is the result at Office365 different? Per what their requirements are I don't see any issue with the CNAME records added
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello @cPanelLauren,

    The PM worked. Sorry, I ended up falling asleep. You know this from our PMs, but just to update the thread, no, changing the names to all lower case did not work.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice