Best practice for DMARC if cPanel user has migrated DNS to Cloudflare
See below screenshot below.
My client decided to migrate his DNS to Cloudflare and now he is having a world of trouble sending emails to `@gmail` users from his WooCommerce enabled WordPress site.
By using the menu "Show original" in Gmail we can indeed see there is a problem. DMARC is failing.
I'm completey overwhelmed by amount of options DMARC present - all I really want are some sane defaults.
It appears that WHM doesn't present default DMARC records, and when you use the add DMARC DNS you end up with this incredibly complex string:
We are not even sure if this is the problem, but to alleviate the pain we copied the WHM generated SPF record and then also tried copying the WHM generated DKIM record to Cloudflare. Still no joy. Does anyone know what I can try next? Do I really have to study adkim, aspf, fo, ri and all that jazz, or is there a sane default for the +100 domains on my server?
v=DMARC1;p=none;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400
We are not even sure if this is the problem, but to alleviate the pain we copied the WHM generated SPF record and then also tried copying the WHM generated DKIM record to Cloudflare. Still no joy. Does anyone know what I can try next? Do I really have to study adkim, aspf, fo, ri and all that jazz, or is there a sane default for the +100 domains on my server?
-
Have you tried using the dmarcian generator? Though studying DMARC, DKIM, DANE etc is highly recommended regardless. 0 -
I would agree that reading about the DMARC settings is a good plan. I don't have them memorized (yet) but they control how a message gets handled after SPF and DKIM have been scanned. Cloudflare has some good documentation on this here: so that may be a good place to start. 0 -
Thanks guys so much for the replies. > Though studying DMARC, DKIM, DANE etc is highly recommended regardless > agree that reading about the DMARC settings is a good plan I don't think I am expressing myself properly in the context of the problem I am trying to solve. The facts are: - WHM doesn't generate a DMARC record by default - WHM generates SPF and DKIM by default - The wizard recommended by @ITHKBO Dmarcian seems to be a paid service for the analysis of DMARC failures - I have over 100 clients domains on my system and I need an universal, generic advice I have written over 500 hosting articles and I'm sure with time I'll also become a DMARC expert. What I am asking is this: - What is best practice DMARC for a WHM server with 100 client domains? I can't run that wizard for a 100 domains. - Does it seem valid to copy the DKIM and SPF "as is" to the Cloudflare DNS and then add some kind of "universal" DMARC record? Of do I really have to customize it specific for this client? Do I really have to analyze failures every time? For 100 clients? Thanks again for responding, community support really means a lot to me. 0 -
Use at least a default generic DMARC record (but only if your domains have SPF records and/or are DKIM signing) "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400" DMARC should pass if SPF or DKIM signing pass. In your previous example though, SPF passed by DMARC didn't. At any rate, don't publish DMARC records unless you are publishing valid SPF / DKIM records, if you want the best outcome. 0 -
Hi @mtindor Thank you so much. I have since also discovered dmarc@example.com;ruf=mailto:dmarc@example.com The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing. Just to be clear: > ...don't publish DMARC records unless you are publishing valid SPF / DKIM records... Our system is at defaults. By default WHM publishes SPF and DKIM records. We migrated those to Cloudflare but got stuck on the DMARC. Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there. 0 -
Hi @mtindor Thank you so much. I have since also discovered dmarc@example.com;ruf=mailto:dmarc@example.com The article has a typo, the `ruf=` needs to have `mailto:` but that's missing. Anyway, seems I have some sane defaults now and I'm carrying on with testing. Just to be clear: > ...don't publish DMARC records unless you are publishing valid SPF / DKIM records... Our system is at defaults. By default WHM publishes SPF and DKIM records. We migrated those to Cloudflare but got stuck on the DMARC. Will keep on updating this post. Our client has WooCommerce orders failing to end up in inboxes and all clue I have is that Google header information. I added myself to `rua` and `ruf` so perhaps I'll get some clues sent there.
not sure if this may help you but I did a search about this on google and found this shows some interesting information not sure if you saw this already or not. some errors show up not sure how you would fix them but at least there is some insight on this page.0 -
By default, cPanel creates 'default' DKIM selector. It seems your domain healinglight.co.za DKIM is not working, hence DMARC fail. 0 -
I am so greatful for all these replies which helped me persevere to fix the problem. In the end it appears there were two problems. 1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address. The client's reply-to address is info@healinglight.co.za but WordPress defaults to healingl@host-server.example.com Once I added this to `functions.php` DMARC started passing! ```php class email_return_path { function __construct() { add_action( 'phpmailer_init', array( $this, 'fix' ) ); } function fix( $phpmailer ) { $phpmailer->Sender = $phpmailer->From; } } new email_return_path(); ``` @RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info. 2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import. It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly. thanks again for all the help. 0 -
I am so greatful for all these replies which helped me persevere to fix the problem. In the end it appears there were two problems. 1. DMARC failing because WordPress + WooCommerce sends the incorrect reply to address. The client's reply-to address is info@healinglight.co.za but WordPress defaults to healingl@host-server.example.com Once I added this to `functions.php` DMARC started passing! ```php class email_return_path { function __construct() { add_action( 'phpmailer_init', array( $this, 'fix' ) ); } function fix( $phpmailer ) { $phpmailer->Sender = $phpmailer->From; } } new email_return_path(); ``` @RoseHosting correctly identified that there is something wrong with the DKIM. This should have been obvious to me because Google's headers never showed any DKIM info. 2. It appears when the client migrated their DNS to CloudFlare, CloudFlare might have done an automatic import. It furthermore appears that the way BIND zones are constructed in WHM when TXT records are long, is to add an extra line break in the UI, and that perhaps Cloudflare doesn't import them correctly. thanks again for all the help.
Believe it or not, I was going to point both of those things out to you days ago. But I was not 100% sure that the envelope sender was being used (which would mean it wasn't being DKIM signed). I should have posted it anyway. I'm glad you were able to figure it out on your own and get things working! Mike0
Please sign in to leave a comment.
Comments
10 comments