Setting up SPF and DKIM records

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
I'm trying to improve the deliverability of my email from a domain on my server to Hotmail and MSN addresses.

So far I have assigned the domain a dedicated IP address, and have requested the host to apply reverse DNS.

My autoresponder vendor has advised that I should also enable SPF and DKIM records. I understand that I do this through the Advanced DNS Zone Editor in cPanel. However, I don't know what to put in the various boxes! Can anyone advise me where I get this info from?

Hope someone can help.

Myles
 

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
Actually you do it through the Email Authentication option under the Mail section.
It seems to be a bit more complicated than that. The Email Authentication option under the Mail section applies to incoming mail.
I'm trying to set up DKIM for out going mail.

I've found one reference which says it is done through the Advance DNS Zone Editor, but doesn't really explain much more. Then there are these instructions /http://www.digitalsanctuary.com/tech-blog/debian/setting-up-spf-senderid-domain-keys-and-dkim.html which seem to apply to smpt mail whereas I'm using Exim.

It might be time to find an expert and pay someone!
 

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
I got the following report -

Code:
==========================================================
Summary of Results
==========================================================
SPF check:          neutral
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    neutral
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  avasout02.plus.net
Source IP:      212.159.14.17
mail-from:      [email protected] removed

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: Neutral)
ID(s) verified: [email protected]
DNS record(s):
    magicalwonders.com. SPF (no records)
    magicalwonders.com. 12796 IN TXT "v=spf1 mx ip4:198.23.157.249 mx:magicalwonders.com ?all"
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: 

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: Neutral)
ID(s) verified: [email protected]
DNS record(s):
    magicalwonders.com. SPF (no records)
    magicalwonders.com. 12796 IN TXT "v=spf1 mx ip4:198.23.157.249 mx:magicalwonders.com ?all"
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.3.1 (2010-03-16)

Result:         ham  (0.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at [url=http://www.dnswl.org/]dnswl.org - Protect against false positives[/url], low
                            trust
                            [212.159.14.17 listed in list.dnswl.org]
 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.4570]

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.
It looks like it's saying I have no SPF record - I entered "v=spf1 mx ip4:198.23.157.249 mx:magicalwonders.com ?all" So not sure what's gone wrong?
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
cPanel takes care of this for you, with a few buttons. :)
O.K. thanks. Maybe this will be easier than it first looked!

I removed the changes, then re-enabled them. This time I got this result -

DKIM
Status: Enabled & Active (DNS Check Passed)
It still seems to be referring to just incoming mail though -
This feature works to prevent incoming spam messages.
I checked my version of cPanel and I'm running 11.34.1

The SPF record is now showing as follows -
Status: Enabled & Active (DNS Check Passed)
Your current raw SPF record is : v=spf1 +a +mx +ip4:198.23.157.248 ?all
The IP address it is showing though is the main server address and not the dedicated IP address for the domain. Is that how it's supposed to be?
 

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
Did you check out that other link I posted about changing the IP?
Yes, I've looked at the page, but I haven't implemented the changes yet. Should that really be done before creating the SPF and DKIM records?

The first part of the instructions are fine, but I've not created files from the command line yet, so I'll need to read up on that.

....I've just had a look using Bitvese SSH Client. As well as a command line it displays all the files on the server, very much like FileZilla. I can see under /etc that the two files mailhelo and mailips already exist, and were created on 7th Feb. They are showing file size 0. Is my next step to download them, edit them with nano, vi, or vim, and upload back to the directory?

I don't suppose a regular text editor like Notepad will work?
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Should that really be done before creating the SPF and DKIM records?
In doing so it will add the account's IP to the record.

Your suggested steps are outlined in the docs.

You probably should not edit anything like this in notepad, or MS wizard or anything else other than from the command line, logged in as root. There are plenty of threads on this forum, and docs and how-tos via Google to get you going in the right direction. You should read up a bit before making any changes to be safe.
 

SrVeteranAdm

Registered
Nov 1, 2013
1
2
3
cPanel Access Level
Website Owner
I'm curious why the person with the original question needed to ask the same question over and over again.
Why couldn't the Product Evangelist have given all the instructions in one entry?
It seems to have been unnecessarily drawn out.
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm curious why the person with the original question needed to ask the same question over and over again.
Why couldn't the Product Evangelist have given all the instructions in one entry?
It seems to have been unnecessarily drawn out.
The original question was actually answered twice.

Question:
...
So far I have assigned the domain a dedicated IP address, and have requested the host to apply reverse DNS.

My autoresponder vendor has advised that I should also enable SPF and DKIM records.

...
Answer:
Actually you do it through the Email Authentication option under the Mail section.
Answer:
Open your cPanel, find Mail section, find Email Authentication icon and click. On this page click the enable buttons.
The Email Authentication page is where this is enabled.

Is there something you're stuck on here or was this thread useful to you?
 

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
I'm curious why the person with the original question needed to ask the same question over and over again.
Why couldn't the Product Evangelist have given all the instructions in one entry?
It seems to have been unnecessarily drawn out.
Well, I am the OP and I don't believe I asked the same question over and over again. Lol. I was stuck with a problem that has conflicting advice from around the internet. So I posted on this forum. Was it wrong to engage in a dialogue and seek clarification on a subject I was confused about?

Whilst on the subject of curiosity however, I'm now curious as to why someones first post resurrects a thread that has been dormant for three months! Lol