Articles in this section

See more

cPanel Notifications are marked as spoofed by third party or custom spam detection that is configured within the server

Austin Lowery
  • Updated
Follow

Symptoms

When a notification is sent from a cPanel account, it is flagged as being spoofed due to a mismatch between the "Authenticated Sender" and the From, or Envelope From address.

 

Description 

 

Previously a feature request was completed that made it so that cPanel notifications are sent via SMTP authentication on the server:

cPanel Feature Requests - Improve deliverability of emails coming from cpanel@userdomain.com

 

When we completed this feature request, it ensured that cPanel notifications would be sent via SMTP authentication. This makes it so that special authentication headers are added to the message to verify that the message was sent legitimately from our notification system

 

Some third-party, or custom spam prevention configurations setup on your server may not be aware of how our contact system works, or how it authenticates via SMTP. 

 

As a result, the third-party or custom spam prevention solution may incorrectly detect our notifications as being spoofed when they are in fact not spoofed.

 

Resolution Explanation

 

In order to resolve this problem, you must reach out to a systems administrator with the skills, training, and expertise required to update your custom or third-party spam solution so that it will properly detect cPanel notifications and allow them to be delivered without issue.

 

Due to the vast array of possible custom implementations that could have been setup on your server, cPanel support is not able to update your custom configuration or third-party solution to be compatible with cPanel notifications. However, we would like to offer the following information so that your systems administrator understands how our system works, which will allow them to proceed with updating your custom configuration to be compatible with cPanel notifications.

 

In order to explain this, we'll first provide a portion of the pertinent headers from a cPanel Sub Account Invidiation notification that was sent to a third-party Gmail account. If you would like to be able to find headers from a notification sent from your server to compare, you can learn how to do so here:

How to find email headers

 

Example Headers

Please ignore SPF error that occurred due to the testing domain that was in use for this example. It is irrelevant in this particular situation.

Authentication-Results: mx.google.com;
       spf=neutral (google.com: 184.94.197.2 is neither permitted nor denied by best guess record for domain of cpanel@cptest.tld) smtp.mailfrom=cpanel@cptest.tld
Received: from [127.0.0.1] (port=51048 helo=localhost.localdomain) by examplehostanme.examplecpanelserver.tld with esmtpa (Exim 4.92) (envelope-from <cpanel@cptest.tld>) id 1lRL9R-0001Js-Tv for thirdpartyaddress@gmail.com; Tue, 30 Mar 2021 15:39:49 -0500
Date: Tue, 30 Mar 2021 20:39:49 GMT
From: "cPanel on cptest.tld" <cpanel@cptest.tld>
Message-Id: <1617136789.aKnNROrJP6S5xwuc@examplehostanme.examplecpanelserver.tld>
Subject: [cptest.tld] Welcome to your new account: thisisatestemailaccount@cptest.tld
To: <thirdpartyaddress@gmail.com>
X-iContact_locale: en
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="alternative-Cpanel::Email::Object-5073-1617136789-0.304171569502564"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - examplehostanme.examplecpanelserver.tld
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - cptest.tld
X-Get-Message-Sender-Via: examplehostanme.examplecpanelserver.tld: authenticated_id: __cpanel__service__auth__icontact__t88825cdf45zpcl6/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: examplehostanme.examplecpanelserver.tld: __cpanel__service__auth__icontact__t88825cdf45zpcl6
X-Source: 
X-Source-Args: 
X-Source-Dir:

 

You'll notice that the envelope-from and the From address in the above headers match:

(envelope-from <cpanel@cptest.tld>)
From: "cPanel on cptest.tld" <cpanel@cptest.tld>

 

These will always match on a cPanel notification and are not the source of the issue that your custom setup is finding.

 

The issue that your custom setup is finding comes from a mismatch in one or both of the above headers and the following authentication headers:

X-Get-Message-Sender-Via: examplehostanme.examplecpanelserver.tld: authenticated_id: __cpanel__service__auth__icontact__t88825cdf45zpcl6/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: examplehostanme.examplecpanelserver.tld: __cpanel__service__auth__icontact__t88825cdf45zpcl6

 

Because cPanel notifications must be sent out from a single source, and there can be hundreds or potentially thousands of different email addresses that these notifications originate from, cPanel performs it's SMTP authentication as the icontact service noted in the header above.

 

In order to resolve this issue, you must work with a systems administrator that has the skills, training, and experience required to update your custom configuration to allow messages through if they have authenticated as the icontact service noted above.

 

Again, how exactly this would be accomplished is extremely variable and entirely depends on the specific setup that your server has which is why your systems administrator must perform this task.

 

If you're not sure how to start your search for a systems administrator you can start here:

System Administration Services

 

 

Related articles

Comments

0 comments

Article is closed for comments.