Skip to main content

Best practice for DMARC if cPanel user has migrated DNS to Cloudflare

Comments

10 comments

  • ITHKBO
    Have you tried using the dmarcian generator? Though studying DMARC, DKIM, DANE etc is highly recommended regardless.
    0
  • cPRex Jurassic Moderator
    I would agree that reading about the DMARC settings is a good plan. I don't have them memorized (yet) but they control how a message gets handled after SPF and DKIM have been scanned. Cloudflare has some good documentation on this here: so that may be a good place to start.
    0
  • eugenevdm.host
    Thanks guys so much for the replies. > Though studying DMARC, DKIM, DANE etc is highly recommended regardless > agree that reading about the DMARC settings is a good plan I don't think I am expressing myself properly in the context of the problem I am trying to solve. The facts are: - WHM doesn't generate a DMARC record by default - WHM generates SPF and DKIM by default - The wizard recommended by @ITHKBO Dmarcian seems to be a paid service for the analysis of DMARC failures - I have over 100 clients domains on my system and I need an universal, generic advice I have written over 500 hosting articles and I'm sure with time I'll also become a DMARC expert. What I am asking is this: - What is best practice DMARC for a WHM server with 100 client domains? I can't run that wizard for a 100 domains. - Does it seem valid to copy the DKIM and SPF "as is" to the Cloudflare DNS and then add some kind of "universal" DMARC record? Of do I really have to customize it specific for this client? Do I really have to analyze failures every time? For 100 clients? Thanks again for responding, community support really means a lot to me.
    0
  • mtindor
    Use at least a default generic DMARC record (but only if your domains have SPF records and/or are DKIM signing) "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400" DMARC should pass if SPF or DKIM signing pass. In your previous example though, SPF passed by DMARC didn't. At any rate, don't publish DMARC records unless you are publishing valid SPF / DKIM records, if you want the best outcome.
    0
  • eugenevdm.host
    Hi @mtindor Thank you so much. I have since also discovered dmarc@example.com;ruf=mailto:dmarc@example.com The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing. Just to be clear: > ...don't publish DMARC records unless you are publishing valid SPF / DKIM records... Our system is at defaults. By default WHM publishes SPF and DKIM records. We migrated those to Cloudflare but got stuck on the DMARC. Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there.
    0
  • Spirogg
    Hi @mtindor Thank you so much. I have since also discovered dmarc@example.com;ruf=mailto:dmarc@example.com The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing. Just to be clear: > ...don't publish DMARC records unless you are publishing valid SPF / DKIM records... Our system is at defaults. By default WHM publishes SPF and DKIM records. We migrated those to Cloudflare but got stuck on the DMARC. Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there.

    not sure if this may help you but I did a search about this on google and found this shows some interesting information not sure if you saw this already or not. some errors show up not sure how you would fix them but at least there is some insight on this page.
    0
  • RoseHosting
    By default, cPanel creates 'default' DKIM selector. It seems your domain healinglight.co.za DKIM is not working, hence DMARC fail.
    0
  • eugenevdm.host
    I am so greatful for all these replies which helped me persevere to fix the problem. In the end it appears there were two problems. 1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address. The client's reply-to address is info@healinglight.co.za but WordPress defaults to healingl@host-server.example.com Once I added this to `functions.php` DMARC started passing! ```php class email_return_path { function __construct() { add_action( 'phpmailer_init', array( $this, 'fix' ) ); } function fix( $phpmailer ) { $phpmailer->Sender = $phpmailer->From; } } new email_return_path(); ``` @RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info. 2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import. It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly. thanks again for all the help.
    0
  • cPRex Jurassic Moderator
    I'll make sure that article gets updated! We also have this one that talks about creating the actual record, but it seems you were able to get this working:
    0
  • mtindor
    I am so greatful for all these replies which helped me persevere to fix the problem. In the end it appears there were two problems. 1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address. The client's reply-to address is info@healinglight.co.za but WordPress defaults to healingl@host-server.example.com Once I added this to `functions.php` DMARC started passing! ```php class email_return_path { function __construct() { add_action( 'phpmailer_init', array( $this, 'fix' ) ); } function fix( $phpmailer ) { $phpmailer->Sender = $phpmailer->From; } } new email_return_path(); ``` @RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info. 2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import. It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly. thanks again for all the help.

    Believe it or not, I was going to point both of those things out to you days ago. But I was not 100% sure that the envelope sender was being used (which would mean it wasn't being DKIM signed). I should have posted it anyway. I'm glad you were able to figure it out on your own and get things working! Mike
    0

Please sign in to leave a comment.