Default settings for SPF on new domains
Hi -
I have been trying to figure out where I can change the default SPF settings for new domains. I made a typo, which I have to manually fix after a new account is added. That's not such a big problem, but if anyone clicks Email deliverability, they can apply the incorrect info, and that's not good.
I've edited the DNS zone templates with the correct info, but that's not where it's coming from. I'm stumped.
Beth
-
made a typo, which I have to manually fix after a new account is added.
What is the error, i.e., in what part of the SPF record? Most of this data is obtained automatically with a few exceptions. The SPF Include is one of these and is in WHM>>Server Configuration>>Tweak Settings0 -
Hi - I finally remembered where the issue is presenting itself. When I modify an account or create a new one, at the bottom, there is this: _ Enable DKIM on this account. _ Enable SPF on this account. (v=spf1 +a +mx +ip4:x.x.x.x include:something.com ~all) I've been looking for the place to fix "something.com," which should be "spf.something.com." If you can point me there, I would be grateful! Thanks, Beth 0 -
Yep! The include is able to be modified in WHM>>Service Configuration>>Exim Configuration Manager -> Mail -> SPF Include Hosts for all domains on this system 0 -
I think I may need to open a ticket with support. I went to each of the servers and the SPF Include Hosts settings are all set to none. Hmm. Thanks! 0 -
I wonder if it may have something to do with this setting, which is on by default? Autodiscovery SPF include hosts from the smarthost route list The system will check each label in the smarthost route list for SPF entries and add an include entry to the SPF records. For example, if the smarthost routelist is set to "* outbound.example.tld" and an SPF record exists for "example.tld", the system adds an SPF include entry for all domains on the system with SPF enabled. I grepped for the errant hostname in /etc, but it doesn't show up anywhere. :( 0 -
If it's not set there I'm not sure where it would be obtaining that information from. What's in /etc/exim.conf.local
?0 -
For the whole server, I am using spamexperts outbound filtering (smarthost). There are some exceptions for folks that use services such as mailgun or sendgrid, etc. Here's /etc/exim/conf.local %RETRYBLOCK% +secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h @AUTH@ #Section: AUTH #Smart Host Sending sendbysmarthosts: driver = plaintext public_name = LOGIN hide client_send = : ${extract{user}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}: ${extract{pass}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}} @BEGINACL@ @config@ hostlist selist = ${lookup dnsdb{>: a=delivery.antispamcloud.com}} hostlist smart_hosts = lsearch;/etc/smarthosts hostlist trustedmailhosts = +selist : lsearch;/etc/trustedmailhosts chunking_advertise_hosts = "" message_size_limit = 150M openssl_options = +no_sslv2 +no_sslv3 tls_require_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS @DIRECTOREND@ @DIRECTORMIDDLE@ @DIRECTORSTART@ @ENDACL@ @POSTMAILCOUNT@ @PREDOTFORWARD@ @PREFILTER@ @PRELOCALUSER@ @PRENOALIASDISCARD@ @PREROUTERS@ #Section: PREROUTERS #Smart Host Sending sendbysmarthostsrouter: driver = manualroute domains = ! +local_domains condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/exim_smarthosts}{$value}}}{}{false}{true}}" ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 headers_add = "${perl{mailtrapheaders}}" transport = sendbysmarthoststransport route_list = * ${extract{smtp}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}} @PREVALIASNOSTAR@ @PREVALIASSTAR@ @PREVIRTUALUSER@ @RETRYEND@ @RETRYSTART@ @REWRITE@ @ROUTEREND@ @ROUTERMIDDLE@ @ROUTERSTART@ smarthost_dkim: driver = manualroute domains = !"+local_domains +smart_hosts" condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}" ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 headers_add = "${perl{mailtrapheaders}}" require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}" transport = remote_smtp_smart_dkim route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}" # route_list = * "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}" smarthost_regular: driver = manualroute domains = !"+local_domains +smart_hosts" condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}" ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 headers_add = "${perl{mailtrapheaders}}" transport = remote_smtp_smart_regular route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}" # route_list = * "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}" @TRANSPORTEND@ @TRANSPORTMIDDLE@ @TRANSPORTSTART@ #Section: TRANSPORTSTART #Smart Host Sending sendbysmarthoststransport: driver = smtp port = ${extract{port}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}} hosts_require_auth = $host_address # hosts_require_tls = $host_address remote_smtp_smart_dkim: driver = smtp #hosts_require_tls = * interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}} helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}} dkim_domain = $sender_address_domain dkim_selector = default dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" dkim_canon = relaxed remote_smtp_smart_regular: driver = smtp #hosts_require_tls = * interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}} helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}0 -
I think you're very much right in your assumption with the Autodiscovery. Is the domain being added to the SPF include a domain you recognize? It's checking the routelist but yours isn't as straightforward as /etc/staticroutes
route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"
Did you try something like:grep -ir "domain.tld" /etc/0 -
Yes, I did that. Could it be stashed in a database? I'm not sure how much stuff is stored in databases, or if only flat files are used? 0 -
I don't believe it would be something from a database. Is the domain that's listed one your recognize? 0 -
Sure. It's "antispamcloud.com," when it should be "spf.antispamcloud.com." 0 -
I contacted support on this issue. It has been resolved by turning off Autodiscovery SPF include hosts from the smarthost route list. Even though the actual hostname in question wasn't in there, it worked! We can mark this one solved. 0
Please sign in to leave a comment.
Comments
12 comments