cPanel & WHM Version 92 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

DMARC config in Zone Editor

freedomizer shared this idea 7 years ago
Completed

Having Email Authentication is very useful.


There should be an option to enable DKIM and SPF on all existing accounts (not just individually), and an option to personalize the default SPF, specifically to be able to provide an include of the server domain or custom domain, that has the valid global IPs enabled.


At the same time, a DMARC record should/could be created with a simple config of the policy and reporting address as needed.

Best Answer
photo

This is now in a public build of version 64, 64.0.1, which is in the CURRENT tier. Update to version 64 now to take a look!

https://documentation.cpanel.net/display/64Docs/64+Release+Notes#id-64ReleaseNotes-DMARCrecords

3a9129785c91576b3350bf2454183a08

You can also see it in action in this video on vimeo:

https://vimeo.com/198357454

If you would like to see this added to the Email Authentication page as well, feel free to add your vote on the newer feature request here:

https://features.cpanel.net/topic/add-dmarc-to-the-email-authentication-ui

Comments (37)

photo
3

This congfiguration is easy to implement into you bind records, so don't need wait for this feature.

photo
4

It will need a WHM template files because there is more to it than a TXT record. See http://support.google.com/a/bin/answer.py?hl=en&answer=2466580

photo
8

It's "easy" to setup a LAMP stack. It's "easy" to create a virtual host. It's "easy" to just setup some SPF records with a TXT record.


If we didn't do anything because it's "easy" to do by hand cPanel wouldn't exist.


Wait until every user you have is getting rejects from Comcast and AOL for lack of a DMARC policy and you have 5,000 open support tickets asking you to "easily" setup DMARC for 20,000 domains and tell me it's "easy"


With more & more domains insisting on a DMARC policy this needs to be a simple one-click (or three) for cPanel so users can do it themselves. With a policy to enable with a new sign up.

photo
1

Starting to get MORE and MORE bounced emails from our clients without DMARC entries in the DNS. We desperately need this feature.

photo
1

It will be nice, gmail evry day more restrict and regular email goes in the spam folder... DMARC could help...

photo
2

Steven Brown wrote:

It's "easy" to setup a LAMP stack. It's "easy" to create a virtual host. It's "easy" to just setup some SPF records with a TXT record.


If we didn't do anything because it's "easy" to do by hand cPanel wouldn't exist.


Wait until every user you have is getting rejects from Comcast and AOL for lack of a DMARC policy and you have 5,000 open support tickets asking you to "easily" setup DMARC for 20,000 domains and tell me it's "easy"


With more & more domains insisting on a DMARC policy this needs to be a simple one-click (or three) for cPanel so users can do it themselves. With a policy to enable with a new sign up.


Can't agree more.

Every knows that most config is just text files but Cpanel is great for the time it saves.

If this is getting required more often, Cpanel needs to address this ASAP.


If host admins like we didn't want to save time and effort, we wouldn't need Cpanel at all.

photo
1

From what I have read it makes alot of sense to support dmarc with comes in addition to spf and dkim. All 3 seem complementry.

photo
2

i would expand on this request and ask that support for DMARC checking via exim be supported.


https://github.com/Exim/exim/blob/master/doc/doc-txt/experimental-spec.txt


Being able to check dmarc on inbound email is essential for the near feature.

Adding the ability to send out your own reports to domains being used for spam would help.


Setting up dmarc on cpanel account creation is as follow:


DNS Functions -> Edit Zone Templates -> standardvirtualftp ->


_dmarc.%domain%. IN TXT "v=DMARC1; p=none; sp=none; adkim=r; aspf=r; rua=mailto:abuse@yourdomain.com; ruf=mailto:abuse@yourdomain.com; rf=afrf; pct=100; fo=1; ri=84600”


for this to work, you need to create a catch all for the RUA and RUF emails.

This record needs to go into yourdomain.com zone.

*._report._dmarc.yourdomain.com IN TXT "v=DMARC1"


With the settings above it will use extremely relaxed rules so you can monitor the domain with out setting restrictions. If you sign all your emails using DKIM and SPF is setup 100% then you can move the strings to reject/quarantine.


I highly recommend dmarcian.com for tools and RUA/RUF data processing. (non sponsored comment :P)

photo
2

Having to manually add DMARC records to DNS is not ideal. A tool to handle base config along-side domain SPF/DKIM management would be a big help.

photo
1

DMARC must be implemented by cPanel/WHM asap.

Google Moving Gmail to Strict DMARC Implementation


https://threatpost.com/google-moving-gmail-to-strict-dmarc-implementation/115125/

Kind regards

photo
2

It will be nice to create an email as dmarc@user.com just for report when from cpanel is created the record.


So when we enable dmarc for example is created for example a record _dmarc.user.com IN TXT "v=DMARC1; p=none; rua=dmarc@user.com" and at same time is created email dmarc@user.com

photo
1

I agree this feature should be built-in, as Youssef B also posts Google is the first to move to strict DMARC usage. As a response to this news from Google we have moved all our users to DMARC by default creating the records in all DNS-zones with default address postmaster@domain.tld and also updated the DNS template files to use it when a new account is created.

A simple script could be used to put in a TXT record: _dmarc.%domain%. IN TXT "v=DMARC1; ​p=reject; ​aspf=r; ru​a=mailto:postmaster@%domain%"

However not all account use postmaster@domain.tld and not all servers use system account by default when unroutable email is send. This raises the issue to create email account AND/OR search email account to use, for example look for: postmaster, abuse, admin, webmaster. And if none of these accounts are found create postmaster and forwarder abuse. All accounts should have postmaster and abuse (forwarder or not) anyway to be compliant with email systems these days.

photo
1

I personally agrees on this. its more than a great idea as the emails originated from the dmarc can be forwarded to user account and a dashboard with dmarc report reviews can also add one of 100 best option.


Its gonna give huge benefits for shared hosting environments as this will enable server admins to monitor and suspend any user generating spam emails from server resources or for any other measurements.

photo
1

we have found both Google and Microsoft live.com are now blocking mails without DMARC records...


while we can add in txt records to dns manually a way to add these in in bulk would be very usefull and urgently required

photo
1

While I believe DMARC will help, I don't believe that this is the reason for them to block your e-mails. If you own your IP's you should create an account on http://postmaster.live.com/snds/


Hotmail will then send you any complaints they get.


We do this and it's allowed us to make sure we have good delivery to hotmail. They allow up to 0,3% complaint rate, any more for a long period and your e-mails will go to spam or be blocked.

photo
1

You can include the dmarc records in you're zone template files, and if you want to apply it in bulk you can reset the domain (Reset a DNS Zone menu in whm)


*warning - this will reset the zone with default settings found in zone templates. I recommend setting all 3 zone templates files to the same settings just in case.


This will also take affect when creating new accounts.


If you want to deal with DMARC you'll need a way to handle the providers (gmail / live) reports.

You can receive them on a normal email with out any kind of processing or use a 3rd party like dmarcian.com

Also you'll most of the time need to join the Junk Mail Partner Program with most providers and send them you're IP's and sign contract but due to the new requirements the providers are doing it might not be necessary.


Regards,

photo
1

DMARC records are becoming more and more important these days. It does not seem to be difficult to add a record manually, as it is just adding a DNS record, similar to SPF. An additional interface for Mail -> Authentication to help clients set up DMARC would be very helpful.

photo
1

I just add _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@mydomain.com;" to my Zone Templates :)

photo
1

Here are all the options in one line.


_dmarc.domain.tld.3600INTXT"v=DMARC1\; p=none\; sp=none\; adkim=r\; aspf=r\; rua=mailto:rua@domain.tld\; ruf=mailto:ruf@domain.tld\; rf=afrf\; pct=100\; fo=1\; ri=3600"


This will force process of 100% of mails and report back. This is the safest setting until you receive reports and process them properly. This is especially important if you use 3rd party providers and they mascarade your domain. AKA Paypal / OpenSRS / Mandrill / Sendgrid etc.

photo
1

jon are you saying if we add that into the zone template, it will work and get set for all new accounts? is there anything else needed to make it work? does rua@ and ruf@ emails need to be setup first?

photo
1

Yes, those mail accounts receive reports. If you don't create these mail accounts first then depending on your settings (by default at least) they'll end up in your "catch-all" mail account which you can find on your cPanel mail page. You can view those mails by going to webmail and logging in with your cpanel username and password.


You can find more about setting up DMARC at: https://support.google.com/a/answer/2466563?hl=en and on the DMARC website.

photo
1

hmm ok thanks! does the email to for the rua and ruf record have to exist at that users domain or could i start with a default server email like postmaster@myserversname.com? I am planning to a do a server migration and auto creating 1000 bulk dmarc records during the transfer would be awesome! but i dont know how to auto create the reporting email addresses (and i have catchall turned off on most accounts by default so I don't think that would work)

photo
1

I have all of mine go to postmaster@mainserverdomain.com. This way I can monitor what is going on and then make changes to the config if needed.

photo
1

I just wanted to point out that i have to add the record as just


_dmarc not _dmarc.mydomain.tld or the dmarc inspectors do not recognize the record

photo
1

One quick tip for emails for doing dmarc. I have a global_aliases file which I suck in via exim.conf. In this file I have an alias setup for postmaster, abuse and the dmarc emails. All of these point to a server wide email address that I can monitor.


I would also suggest checking out a service like dmarcian.com as a way to process all the data. You can use the global_aliases trick to send copies to the dmarcian service.

photo
1

The template method is what I have been using on my dedicated server, however a page in cPanel would be helpful for people on shared hosting, so they would be able to configure their own records easily, and have less chance of messing them up. I see this often in both cPanel and Plesk when doing my day to day work.

photo
1

Hey all! This is not yet on our roadmap. As soon as it is, or if we have any questions, I'll let everyone know!

photo
1

Hello everyone! We have begun looking at this for feature development.

In the meantime, I do recommend checking out the article from our partner InMotion Hosting.

http://www.inmotionhosting.com/support/email/fighting-spam/dmarc-setup

I followed this guide and was able to get this working in about 3 minutes.

Please give us feedback about what a UI would look like that would help users establish their dmarc record.

photo
1

You might look at the wizard here for some inspiration: http://www.kitterman.com/dmarc/assistant.html

photo
3

This has now moved into active development! We're currently hoping to see this added to the new Zone Editor in version 64, but we're much too early in the process to be sure. I'll be back to let you all know when this enters a public EDGE build.

photo
4

We've got the UI built out a bit. Take a look and let us know what you think!


3a9129785c91576b3350bf2454183a08

photo
1

Nice. Should have a ? by the Percentage with an explanation (I guess for most of them, that would be nice. For reporting interval, is it more useful to have seconds, minutes, or hours?

photo
1

Agree with Dr. Z, some help bubbles would be really appreciated! But this is great, Benny!

photo
2

Shouldn't dmark be in the e-mail authentication section along with SPF and DKIM ?

photo
2

We're hoping to get this worked into the Email Authentication cPanel interface as well, but it's not on the roadmap yet. I've created a feature request to help track it: Add DMARC to the email authentication UI

photo
2

Agreed, when setting up a new account, you can check "SPF" and "DKIM." There should, also, be a checkbox for "DMARC" along with a radio button for the action. Return email field could be optional.

photo
1

We are planning to put it into there eventually. However this is our first effort into including it in the product.

photo
1

Hi travis,is there any possibility to specific a different MX by default (which is another cpanel server?).

We are running different cpanel for web and mails. We can use SPF but we lost DKIM feature and I guess we'll miss DMARC as well.


Specifing a external default MX for the newly created account can be usefull to auto setup SPF, DKIM and DMARC. Is this planned?

photo
1

Look how https://dmarcian.com/ handles it. Also, is full DMARC being implemented (ruf and rua email reports)?

Will the stat reports be available too, or do we still have to use a third party for full DMARC? ("Full" meaning history stats are included - as the stats help VERY much with isolating consistent attempted abusers).

photo
2

@rogerw


At this time we are just adding a way to get the record added to your DNS. We have used dmarcian as a reference a few times in getting our implementation figured out.


I'll get a short video posted in a few minutes so you all can see what we are doing for this first implementation.

photo
1

This is a must and it's very easy to implement. It will also be a good idea to include a little paragraph explaining how to use it efficiently­.

photo
1

Good idea! Based on some comments I've read, I suspect that some people don't

realize that DKIM and SPF need to be working before moving a domain to

DMARC.

photo
3

Hi All,


Here is a short video to show the functionality we are adding to the new Zone Editor for DMARC in cPanel & WHM version 64.https://vimeo.com/198357454


Please let me know if you have any questions.

photo
1

Awesome progress, thanks team!

photo
2

@Travis thats great, love the setup.

photo
3

Travis please incorporate an option to default on creation of dmarc, dkim & spf when adding account. I think the option already exists for the later two. The later requires an option to enable dmarc for all, some and/or no existing accounts. Manually adding this to existing accounts on multiple servers one domain at a time would be very time consuming.

photo
2

Looks great!

photo
1

Travis, that looks awesome!!

photo
1

Yes, loving this, it will be a real boon to have it.

photo
2

This is now in public build on the EDGE tier!


eff9cda3dc5cb32c8744e918ff3261cc


Since it's been buried in the comments since, here's again the video that Travis whipped up for us: https://vimeo.com/198357454

photo
1

This is now in a public build of version 64, 64.0.1, which is in the CURRENT tier. Update to version 64 now to take a look!

https://documentation.cpanel.net/display/64Docs/64+Release+Notes#id-64ReleaseNotes-DMARCrecords

3a9129785c91576b3350bf2454183a08

You can also see it in action in this video on vimeo:

https://vimeo.com/198357454

If you would like to see this added to the Email Authentication page as well, feel free to add your vote on the newer feature request here:

https://features.cpanel.net/topic/add-dmarc-to-the-email-authentication-ui

Replies have been locked on this page!