Skip to main content

ARC signing in Exim - enable DKIM/SPF globally - high number of zones

lautrivtas

We would need to enable ARC signing in Exim. As precondition DKIM/SPF needs to be enabled globally ( " If a domain currently possesses an SPF record, the system will append the appropriate IP address from the /var/cpanel/mainip file to the existing record." ). I would like to know what exactly this script will do. All local mail domains have DKIM and SPD (TXT) records of course. Would the script add the mail IP a second time ? Any exerpience with this script ? Would it be possible to enable DKIM/SPF globally only for future zones ? 

Thank you for any hints in regards to ARC and DKIM/SPF globally.

Lautrivtas

Comments

5 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  I just wanted to link the documentation page so anyone else reading this knows what we're talking about:

    https://docs.cpanel.net/whm/dns-functions/enable-dkim-spf-globally/

    it just adds the best DNS record possible, without manually editing any existing DKIM records that may be in place.  For the SPF record, it will append the IP so the record looks like this, making both IP addresses valid for the SPF (let's assume IP 1.2.3.4 is the original IP and 4.3.2.1 was the appended IP):

    domain.com. 14400   IN      TXT     "v=spf1 ip4:1.2.3.4 ip4:4.3.2.1 ~all"

    As far as the records not being there in the first place, this would have to be manually disabled in WHM >> Tweak Settings, as there are options there for both the DKIM and SPF record creation to happen for all new accounts.

    Let me know if that's what you were looking for!

    0
  • lautrivtas

    Thank you for your reply. As I said allready we would need to enable ARC signing. But we can't because your script would destroy all zones on server. For instance we have a high number of 301-https redirect domains with MX null record and SPF reecord (spf1 -all). And we have also a number of zones using external mailserver. Is it possible to enable ARC signing without destroying everything ?

     
    0
  • cPRex Jurassic Moderator

    Can you let me know specifically what that script would break and why it won't work for your situation?  Once I knot that I might be able to recommend something else.

    0
  • lautrivtas

    Null MX record domains ( RFC 7505 ) 
    Updated SPF records with two instances of same IP adress and ~all instead of -all.
    As soon as the script is touching existing SPF (TXT) records we would have to  look at any of the zones hosted on server. A nightmare. And we even don't know if all domains are affected by the script or only domains with local MX address ? 

     

     

     

    0
  • cPRex Jurassic Moderator

    The script would not add a duplicate IP address - it would only add an additional IP if it was necessary.

    You could always try this work on a test server, or take a backup of the current /var/named directory before making any changes so you could put that back quickly if you didn't like the results.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post