spf_installer behaviour

Haym

• August 02, 2017 08:18

Hello, I'm seeing strange behaviour with the spf_installer script. Existing account SPF records for primary domain and alias domain:
v=spf1 mx ip4:1.1.1.1 ip4:2.2.2.2 ~all v=spf1 +a mx ip4:1.1.1.1 +include:spf.domain.net -all
Then I run: /usr/local/cpanel/bin/spf_installer username 'include:spf.domain.net' 0 1 1 and both of the above SPF entries are replaced with the following:
v=spf1 +a +mx +ip4:1.1.1.1 +include:spf.domain.net +include:spf.domain.net -all v=spf1 +a +mx +ip4:1.1.1.1 +include:spf.domain.net +include:spf.domain.net -all
Am I using it wrong? The preserve option doesn't appear to work at all and the script is adding the new entry multiple times. It seems very buggy! Thanks

• 

  rpvw

  • August 02, 2017 13:44

  I would guess your problems stem from the use of the final '1' (the preserve flag) in your command which is appending to the the original SPF value as opposed to overwriting (final '0') it. The errors that you have with the alias domain seem to stem from the the SPF records being treated as having the same value. I can see no way of defining distinct SPF for a domain alias as opposed to a parent domain, so manual editing might be required after running the script if necessary. Full instructions from

  0
• 

  Haym

  • August 02, 2017 14:07

  Thanks for your response. I want to append to the original SPF value though. I want to append "include:spf.domain.net" to every domain's SPF record on the server without altering any other portion of the existing record, ideally where that portion doesn't already exist but I guess it's fine if it's appended twice. Is this possible? Right now, the first record is being overwritten with a completely different record, unrelated to the original record and not even the server's default SPF record (+a added, ip4:2.2.2.2 removed, -all changed to ~all, the policy being appended twice for some reason). If I set the overwrite option to "0", the record doesn't get touched at all.

  0
• 

  cPanelMichael

  • August 02, 2017 15:31

  I want to append "include:spf.domain.net" to every domain's SPF record on the server without altering any other portion of the existing record, ideally where that portion doesn't already exist but I guess it's fine if it's appended twice.

  
  Hello @Haym, You are using "1" for the "overwrite" variable, which will replace the user's current SPF records. You should use "0" for this value if you want to append an entry to the existing SPF record. For example: Initial SPF record:
  cptest01.tld. IN TXT "v=spf1 +a +mx +ip4:10.1.1.1 ~all"
  Run the following command:
  /usr/local/cpanel/bin/spf_installer cptest01 "+include:123.tld" 0 0 1
  New SPF record:
  cptest01.tld. IN TXT "v=spf1 +a +mx +ip4:10.1.1.1 +include:123.tld ~all"
  Thank you.

  0
• 

  rpvw

  • August 02, 2017 16:00

  Sorry to query this Michael, but the docs page states Whether to add the new set of keys to the existing records. [LIST]

  A value of 1 indicates that you wish to append the policy option's value to the user's current SPF records. [LIST]

  A value of 0 indicates that you wish to replace the user's current SPF record with the policy option's value.
  Are you suggesting this is actually the other way round ?

  0
• 

  cPanelMichael

  • August 02, 2017 16:07

  Hi @rpvw, I'm seeing the behavior described in the document when testing. When the "preserve" variable is set to "1", it appends the policy option's variable to the user's current SPF records. If the "preserve" variable is set to "0", it replaces the entry instead of appending it. Thank you.

  0
• 

  Haym

  • August 02, 2017 16:10

  Hello @Haym, You are using "1" for the "overwrite" variable, which will replace the user's current SPF records. You should use "0" for this value if you want to append an entry to the existing SPF record. For example: Initial SPF record:
  cptest01.tld. IN TXT "v=spf1 +a +mx +ip4:10.1.1.1 ~all"
  Run the following command:
  /usr/local/cpanel/bin/spf_installer cptest01 "+include:123.tld" 0 0 1
  New SPF record:
  cptest01.tld. IN TXT "v=spf1 +a +mx +ip4:10.1.1.1 +include:123.tld ~all"
  Thank you.

  
  Hello, This doesn't work. Command:
  /usr/local/cpanel/bin/spf_installer demouser 'include:spf.domain.net' 0 0 1
  Alias record before running command:
  v=spf1 mx ip4:1.1.1.1 ip4:2.2.2.2 ~all
  Primary domain record before running command:
  v=spf1 +a mx ip4:1.1.1.1 +include:spf.domain.net -all
  Alias record unchanged after running command:
  v=spf1 mx ip4:1.1.1.1 ip4:2.2.2.2 ~all
  Primary domain record has the "include" part unnecessary appended after running command:
  v=spf1 +a +mx +ip4:1.1.1.1 +include:spf.domain.net +include:spf.domain.net -all
  For clarity, I also tried running the command using '+include:spf.domain.net' but this didn't work either. Anyway, I'm 99% of the way to resolving the issue using the API, just running into an issue which I'll open another thread to discuss. Thanks

  0
• 

  Haym

  • August 02, 2017 16:18

  The topic mentioned in my previous post regarding API issues has been opened here: New Thread - whmapi1 editzonerecord "+" character

  0
• 

  cPanelMichael

  • August 02, 2017 17:50

  Hello @Haym, Are you using a custom zone template with an SPF txt entry on this system? If so, could you verify if you notice the same behavior without the custom zone template enabled? Also, what version of cPanel is installed on this server?

  Primary domain record has the "include" part unnecessary appended after running command:

  
  There's no condition to prevent appending a new policy rule if the same rule already exists. You'd have to enable the "overwrite" and "complete" variables while entering the full SPF policy that you want to use in the zone to prevent that from happening. Thank you.

  0
• 

  Haym

  • August 02, 2017 17:59

  Hello @Haym, Are you using a custom zone template with an SPF txt entry on this system? If so, could you verify if you notice the same behavior without the custom zone template enabled? Also, what version of cPanel is installed on this server?

  
  I am using a custom template with the SPF entry and it's cPanel v64. I am unable to test with the custom zone file disabled at this time unfortunately but will report back to this thread if I get a chance so that other's experiencing the problem can see if this was the cause. In the mean time, I've written a quick script to add the policy I want for any SPF records which don't have the policy already. Thanks!

  0
• 

  Haym

  • August 02, 2017 18:49

  So as mentioned, I've written a quick script to inject the required policy to all SPF records for each zone on our servers. I'm sharing it here for anyone else who needs to append a new SPF record across their server and has trouble using cPanel's spf_installer script. It's PHP (no comments please!) and quickly hacked together for our own use case but should do the job for appending any policy. The script simply checks over each zone file for SPF records and if the required policy doesn't exist, adds it. The changes are done using the WHM API rather than editing any zone files directly, so it should be safe for the future and with the different DNS server options. Of course check over the script yourself and run in a test environment etc first. I don't take any responsibility if the script messes up zone files on your system because your use case has been overlooked! [PHP]['zone">, 'domain'); // Loop over the zones to process. foreach ($zones as $domain) { $zone = null; exec("whmapi1 dumpzone domain={$domain} --output=jsonpretty", $zone); $zone = implode(PHP_EOL, $zone); $zone = json_decode($zone, true); $zone = $zone['data">['zone">[0]['record">; // Loop over the zone's lines to check for an SPF record. foreach ($zone as $record) { if ($record['type"> == 'TXT' && strpos($record['txtdata">, 'v=spf1 ') === 0) { echo "Found SPF for {$domain} on Line {$record['Line">} ({$record['name">}):" . PHP_EOL; echo ' - Existing:' . PHP_EOL; echo ' ' . $record['txtdata"> . PHP_EOL; // Skip if the required policy already exists. if (strpos($record['txtdata">, ' ' . POLICY_REQUIRED. ' ')) { echo ' - The required policy exists, skipping.' . PHP_EOL . PHP_EOL; continue; } // Inject the required policy. $updated_record = preg_replace('/(.+) ([\?~-]{1}all)/', '$1 ' . POLICY_REQUIRED. ' $2', $record['txtdata">); echo ' - Applying policy:' . PHP_EOL; echo ' ' . $updated_record . PHP_EOL . PHP_EOL; // The record must be urlencoded first, $updated_record = urlencode($updated_record); // Edit the zone file. $command = "whmapi1 editzonerecord domain='{$domain}' line={$record['Line">} name='{$record['name">}' class={$record['class">} ttl={$record['ttl">} type={$record['type">} txtdata='{$updated_record}' unencoded=1"; exec($command); // Not necessary but nice to leave a breather for monitoring! sleep(1); } } } [/PHP]

  0
• 

  Shawn Paul

  • September 15, 2017 02:35

  I would like to change SPF records for a select number of domains saved at '/etc/antispamdomains'. Any way of doing this? The domains are in hundreds so editing individual domains in WHM is not feasible.

  0
• 

  cPanelMichael

  • September 18, 2017 15:47

  I would like to change SPF records for a select number of domains saved at '/etc/antispamdomains'. Any way of doing this? The domains are in hundreds so editing individual domains in WHM is not feasible.

  
  There's no existing custom command for this action, as the SPF installer script is used on a per-account basis as opposed to a per-domain basis. Are you able to populate a file that includes a list of account usernames as opposed to domain names? Thank you.

  0
• 

  Shawn Paul

  • September 18, 2017 22:39

  Thanks for the reply. I would still achieve my objective if I got a command or script which changes spf for selected cpanel users only, with the respective usernames saved in a directory called '/etc/antispamdomainusers' or something of the sort. Any guide on that? I know the challenge will be the addon and parked domains which i don't wish to include. I only want to change for main account domains.

  0
• 

  cPanelMichael

  • September 19, 2017 17:07

  Hello @Shawn Paul, You could run the "spf_installer" script referenced on this post for each username in that text file with a loop command: spf_installer behaviour Discussion on examples of how to loop a command are discussed on the following third-party URL: How do you run a command for each line of a file? Thank you.

  0
• 

  imorandin

  • March 04, 2026 18:40

  I know this is a very old thread, but I ran into the same issue and wanted to share what I found.The spf_installer script does not update aliases or subdomains — it only updates the main domain.

  Workaround (Via WHM)

  1. Go to WHM → Exim Configuration Manager → Basic Editor

  2. Set your SPF value under “SPF include hosts for all domains on this system”

  3. Save the configuration

  This will update the DNS records for all domains, aliases, and subdomains — both locally and across the DNS Cluster.

  Alternative: via SSH

  You can achieve the same result from the command line:

  sed -i '/^spf_include_hosts=/d' /etc/exim.conf.localopts
  echo "spf_include_hosts=$YOUR_SPF" >> /etc/exim.conf.localopts
  /scripts/buildeximconf
  /usr/local/cpanel/bin/servers_queue queue update_all_users_spf_records

  Reference for the last command:
  https://support.cpanel.net/hc/en-us/community/posts/19138997608471-SPF-record-showing-main-shared-ip-not-a-custom-ip-address

  Hope this helps.

  0

Please sign in to leave a comment.