The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problems with DMARC and e-mails from cPanel

Discussion in 'Security' started by Spork Schivago, Jun 10, 2017.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm not sure if I should create a new topic for this or not. If I should have created a new topic, maybe an admin could move it to a new thread? It's related to DKIM. It involves DMARC. I setup my DMARC record properly. I received a report from google today.

    I'm a bit confused and I guess I don't fully understand how DMARC works. Because my server sends daily reports (CSF, cPanel stuff, etc) to a gmail address, is that why google is sending me a DMARC report? I thought my server would be sending me the reports. I guess it makes sense that gmail would be sending them, because my server would have no way to know if the messages being sent are being reported as spam.

    Anyway, I'm a bit worried about the report I got. I looks like all the messages sent were marked as spam and I'm not sure why. I'd like to fix it so they're not being marked as spam. Here's a copy of the report, with my IP address and domain name changed for security reasons...
    Code:
    <?xml version="1.0" encoding="UTF-8" ?>
    <feedback>
      <report_metadata>
        <org_name>google.com</org_name>
        <email>noreply-dmarc-support@google.com</email>
        <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
        <report_id>4130617553333294964</report_id>
        <date_range>
          <begin>1496880000</begin>
          <end>1496966399</end>
        </date_range>
      </report_metadata>
      <policy_published>
        <domain>example.com</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>quarantine</p>
        <sp>quarantine</sp>
        <pct>100</pct>
      </policy_published>
      <record>
        <row>
          <source_ip>192.168.2.2</source_ip>
          <count>12</count>
          <policy_evaluated>
            <disposition>quarantine</disposition>
            <dkim>fail</dkim>
            <spf>fail</spf>
          </policy_evaluated>
        </row>
        <identifiers>
          <header_from>franklin.example.com</header_from>
        </identifiers>
        <auth_results>
          <spf>
            <domain>franklin.example.com</domain>
            <result>none</result>
          </spf>
        </auth_results>
      </record>
    </feedback>
    
    The dkim = fail and spf = fail is what is worrying me. If I run:
    Code:
    dig -x <IPv4 address>
    dig -x <IPv6 address>
    
    I see a reverse PTR record for franklin.example.com

    Do the dkim fail and spf fail just mean if the dkim and spf checks fail or if either fail, mark them as spam, but doesn't necessarily mean that my 12 e-mails failed the spf and dkim checks? I noticed in gmail, the e-mails say This message was not marked as spam because of a filter you have setup, which, to me, means if it wasn't for that filter, they would have been marked as spam, which makes me think I set up something incorrectly.

    Any help would be greatly appreciated.

    Thanks!
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Here's another report, and this one confuses me even more:
    Code:
    <?xml version="1.0" encoding="UTF-8" ?>
    <feedback>
      <report_metadata>
        <org_name>google.com</org_name>
        <email>noreply-dmarc-support@google.com</email>
        <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
        <report_id>17190133660997377761</report_id>
        <date_range>
          <begin>1496966400</begin>
          <end>1497052799</end>
        </date_range>
      </report_metadata>
      <policy_published>
        <domain>example.com</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>quarantine</p>
        <sp>quarantine</sp>
        <pct>100</pct>
      </policy_published>
      <record>
        <row>
          <source_ip>87.106.26.26</source_ip>
          <count>9</count>
          <policy_evaluated>
            <disposition>quarantine</disposition>
            <dkim>fail</dkim>
            <spf>fail</spf>
          </policy_evaluated>
        </row>
        <identifiers>
          <header_from>example.com</header_from>
        </identifiers>
        <auth_results>
          <spf>
            <domain>example.com</domain>
            <result>softfail</result>
          </spf>
        </auth_results>
      </record>
      <record>
        <row>
          <source_ip>192.168.2.2</source_ip>
          <count>27</count>
          <policy_evaluated>
            <disposition>quarantine</disposition>
            <dkim>fail</dkim>
            <spf>fail</spf>
          </policy_evaluated>
        </row>
        <identifiers>
          <header_from>franklin.example.com</header_from>
        </identifiers>
        <auth_results>
          <spf>
            <domain>franklin.example.com</domain>
            <result>none</result>
          </spf>
        </auth_results>
      </record>
    </feedback>
    
    The question here is where the heck is that 87.106.26.26 IP address coming from? It's not assigned to me. I run:
    Code:
    dig -x 87.106.26.26
    
    ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> -x 87.106.26.26
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61857
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;26.26.106.87.in-addr.arpa.     IN      PTR
    
    ;; ANSWER SECTION:
    26.26.106.87.in-addr.arpa. 86400 IN     PTR     s15337035.onlinehome-server.info.
    
    ;; Query time: 58 msec
    ;; SERVER: 50.116.58.5#53(50.116.58.5)
    ;; WHEN: Sat Jun 10 14:51:40 EDT 2017
    ;; MSG SIZE  rcvd: 100
    

    I also noticed when I send the e-mails from webmail.example.com, the header in gmail shows that they're from username@example.com and passes everything, but if I use something like sendmail, it shows the e-mails are from root@franklin.example.com and DMARC shows as failed.

    This makes me think I need to configure DMARC differently so stuff from franklin.example.com doesn't fail. I used cPanel to configure the DMARC message. This is the raw resource record:
    Code:
    v=DMARC1; p=quarantine; sp=quarantine; adkim=r; aspf=r; pct=100; fo=1; rf=afrf; ri=86400; rua=mailto:username@example.com; ruf=mailto:username@example.com
    
    The resource record is a TXT record called _dmarc.example.com.

    Do I need to setup another _dmarc message, like:
    _dmarc.franklin.example.com. and just copy the record for _dmarc.example.com. to get gmail to pass for everything sent from franklin.example.com?

    Thanks!
     
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm going to open a new thread for this problem with DMARC.
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm not sure if this belongs under Security, Bind / DNS / Nameserver Issues, or E-mail. It kind of involves all of the above I guess.

    I have setup SPF and DKIM properly (I believe). I used cPanel to enable them. When I send e-mail using the web interface to my gmail account, everything goes through fine. However, when cPanel sends me e-mails (or CSF), the e-mails fail the DMARC test and the messages get marked as spam.

    In gmail, when I look at the source message (with headers), I see the SPF test passes and the DMARC test fails.

    In the header, I see this:
    Code:
    ARC-Authentication-Results: i=1; mx.google.com;
          spf=pass (google.com: best guess record for domain of root@franklin.example.com designates <IPv4 address> as permitted sender) smtp.mailfrom=root@franklin.example.com;
          dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=example.com
    
    My understanding for DMARC is if a specific policy record for a subdomain does not exist in the DNS zone, the policy from the organizational domain will be applied. Does anyone know if this is true or how I go about fixing this?

    Do I just need to add a DMARC record for the hostname franklin? I did just notice that even though there is an A and AAAA record for franklin, there is no spf record for franklin. There's an spf record for example.com and for all the other subdomains. franklin is just the hostname though and I don't want people to be able to go to https://franklin.example.com.

    Thanks!
     
    #4 Spork Schivago, Jun 14, 2017
    Last edited: Jun 14, 2017
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd need to first ensure a separate DNS zone exists for the server's hostname. Then, setup the SPF and DKIM records for the server's hostname using the workaround instructions from the following thread:

    DKIM for main server hostname

    This should prevent Gmail from marking the message as SPAM, based on the recent report in the following thread:

    SOLVED - Cron Emails Are Treated As Spam By Gmail

    Thank you.
     
    Spork Schivago likes this.
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Could you go a bit more in detail about this part? The way I understand it (which is probably incorrectly), what makes a zone a zone is a file in the /var/named/ directory, like /var/named/domain.com.db. This zone file contains my DNS entries. Is that correct? If so, are you saying I need to also have a /var/named/hostname.domain.com.db file which includes an A and AAAA record for my hostname?

    Or are you just saying I need to make sure there's an A and AAAA resource record in the DNS Zone Editor for hostname.domain.com?

    **EDIT: I know I can add a zone in WHM and I know how to do that. I just want to make certain that's what you're saying I need to do.

    Thanks!
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd have to remove the existing "A" or "AAA" entries for the server's hostname from it's parent domain name's zone and then add the separate zone for the hostname using the "WHM >> DNS Functions >> Add A DNS Zone" option. A separate zone isn't normally required for the hostname, but setting up the DKIM record for the hostname using the workaround instructions referenced above requires this setup.

    Thank you.
     
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    cPanelMichael,

    In this second zone, do I need to setup the nameserver and main domain resource records? Besides getting DKIM to work properly with a hostname, generally speaking, why would a person want or need more than one zone? Is it just for people that have a very large number of domains / subdomains? Or maybe people that rent out cPanel hosting (like GoDaddy, in a shared hosting environment), where you don't have access to WHM, but to cPanel and then the admins who own the shared hosting set up individual zones for each user?

    Thanks!
     
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I followed the directions and it probably fixed the issue, but I was reading through the post you sent and I see that you can do this with just one zone. I have a question now. Let's say I wanted to keep just the original zone, example.com, and having the A and AAAA resource records for hostname.example.com, how would I see what the DKIM key would be for me to manually add the DKIM record for hostname.example.com? Is there a program that generates the keys somewheres?

    Thanks.
     
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I think I might have found a way using socketlabs.com/domainkey-dkim-generation-wizard/

    If I understand this correctly, I should be able to run:

    Code:
    /usr/local/cpanel/bin/dkim_keys_uninstall nobody
    
    Then delete the second zone I created earlier, re-add the A and AAAA resource records for my hostname, then use that website to manually generate a 2048-bit key with a selector called default (shouldn't matter for the name) for hostname.example.com, and then just add the DKIM record to the zone, right?

    I tested it a little by generating a key for my main domain and checking the key value to what cPanel added to my zone, and they don't match. They're close, but the private key that the website generated is different than the private key that cPanel generated. I don't think that matters though, so long as I had the proper public key.

    I think I just have to physically copy the private and public keys to /var/cpanel/domain_keys/private and /var/cpanel/domain_keys/public, respectfully, with the names hostname.example.com, then just make sure the A and AAAA records are right.

    Does that sound about right?

    Thanks.
     
    #10 Spork Schivago, Jun 14, 2017
    Last edited: Jun 14, 2017
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Oh! I'm so close to having it manually done correctly. It passes through gmail without being marked as spam now, but I see the SPF test is showing as neutral:

    Code:
    spf=neutral (google.com: <IPv4 address> is neither permitted nor denied by best guess record for domain of root@franklin.example.com) smtp.mailfrom=root@franklin.example.com;
    
    I created a SPF TXT resource record for franklin. Guess I'm still missing something or maybe it's not possible to do it with just the one zone like I'm trying.

    **EDIT: I believe I got it with one zone, instead of a separate zone for my hostname. I just had to modify the SPF resource record and add the +a:hostname.domain.com.

    Now the e-mails pass all checks. Now I think I can use the -all so any e-mail leaving my system from some unauthorized subdomain will fail and end up in spam.

    I've been reading that DKIM is a bit like SSL certs and the keys should be regenerated every couple months. Is that true and if it is, the way I currently set it up (by manually adding the public / private keys and creating the zone entries), will cPanel replace the keys when it renews the other ones?

    Thanks for all the help!!!! This was bugging me for a while now!
     
    #11 Spork Schivago, Jun 14, 2017
    Last edited: Jun 14, 2017
    cPanelMichael likes this.
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Spork Schivago,

    I'm glad to see you were able to get it working. Thank you for sharing the outcome and the steps you took.

    DKIM keys are not currently rotated, so cPanel should not automatically replace your existing keys with new ones.

    Thank you.
     
    Spork Schivago likes this.
  13. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Do you feel that DKIM keys should be rotated? My understanding is that it's like SSL certs. If someone gets your private key, they can forge messages and pretend they've come from your servers. I believe this is why with companies like Let's Encrypt, SSL certs last a maximum of 3 months, to force users to generate new ones, in case the private key does get leaked.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    To your point, I can see the security benefit of rotating the keys, but I've not seen any internal discussion regarding this topic. This would make for an excellent feature request:

    Submit A Feature Request

    Thank you.
     
    Spork Schivago likes this.
  15. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    464
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I submitted one, thanks!
     
Loading...

Share This Page