This is a mix of rant about DNS GUIs and notes on SPF, DKIM, DMARC and cPanel/WHM Email Deliverability (which didn’t make a very snappy title).
cPanel/WHM Email Deliverability
This is available both at the server level and for each individual account and domain and test DKIM, SPF and reverse DNS records, highlights problems and recommends solutions.
Lets do a quick simplified summary of what the relevant DNS text records are:
REVERSE DNS (PTR)
Reverse DNS is now commonly used by services such as Abusix to check the sending server really is who it says it is and block the email if not.
The PTR record looks up the host name from the ip address and this should match the server name used by the server in the SMTP HELO. This needs to be set up by your hosting provider and is a PTR record in the form of: <ipaddress>.in-addr.arpa. pointing to <host.domain.suffix>.
If you are setting up a server on AWS which needs to send email one of the first things you should do is submit a: Request to Remove Email Sending Limitations including the Elastic IP address and the requested hostname which should already have an A record to associate with that IP address.
Before sending restrictions are lifted you will also need to send Amazon:
* A clear/detailed use-case for sending mail from EC2.
* A statement of the security measures and mechanisms you will be implementing to avoid being implicated in the sending of unwanted mail (Spam)
Additionally, check the rest of the settings on this page and your security first!
A Sender Policy Framework TXT record in DNS defines which servers are permitted to send email from the domain.
Email services will examine each email, checking the sending server against the email sending domain.
If the sending server does not match the list of servers authorised by the domain’s SPF record the email may be blocked or marked as junk/spam or receive a spam scoring.
A mix of ip addresses and domains are permitted in the text record, format like:
yourdomain.com. IN TXT v=spf1 mx a ptr ip4:22.214.171.124/32 include:mailserviceprovider.net ~all
As you add systems and services to your domain you need to add them to this list (eg mailchimp, CRM provider, other email provider).
DomainKeys Identified Mail adds an encrypted signature to outgoing email. This can then be decrypted using the public key found by querying the DNS TXT record in the format:
default._domainkey.yourdomain.com. IN TXT v=DKIM1; k=rsa; p=your-public-key-value;
Specifically the email header fields d=yourdomain.com s=selector define that the DNS TXT record selector.yourdomain.com. should hold the public key needed to decrypt the signature and validate the message.
If the email signature cannot be decrypted correctly or decrypted values do not match the expected then similarly the mail will receive increased spam scores and may be blocked or marked as junk/spam.
(Multiple keys other than the default are supported to allow multiple services/servers to send mail for the domain, but cPanel is fairly fixed to the default key despite feature requests to support multiple keys. cPanel does support using the default key across multiple cPanel servers which helps. Config files can also be tweaked but care needs to be taken to avoid losing any such tweaks during updates.)
The Domain-based Message Authentication, Reporting and Conformance TXT record defines how this domain wants suspicious messages to be handled (p=none means policy is to allow delivery), where reports should be sent, in what format (fo) and what reporting interval (fi)
_dmarc.yourdomain.com. IN TXT v=DMARC1; p=none\quarantine\reject; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; sp=none; fo=s; ri=86400
Where DMARC is set domain alignment is also checked and may fail even if SPF and DKIM are set correctly. Broadly speaking this means the domain used for the From address should match the DKIM and SPF domains.
If a valid encrypted header is set, but belonging to a different domain (d= header field different from from address), the email validation result may be SPF=pass, DKIM=pass, DMARC=fail. All three should be set and pass to give good confidence that the email is genuine and maximum deliverability for the email.
DNS User Interfaces
SPF record name must be entered as Name: @
DKIM record name must be entered as Name: default._domainkey
On uk2, the domain name is included in the TXT field Name, but with no trailing “.”, eg:
SPF record must be entered as Host name: @
DKIM record must be entered as Host name: default._domainkey and may be set to initial Microsoft values, though Exchange itself appears to be now moving to use round robin selector1/selector2 keys.
Office 365 domains do not appear as a DNS zone in Azure at: https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones
Instead they can be found in a hidden corner of the Microsoft 365 admin center at:
For Exchange settings visit Office365 Admin Center, Exchange, Admin, Protection, dkim.
Everything on AWS has it’s own terminology: each Domain is a Hosted Zone and each DNS entry is called a Record Set so to add a TXT entry, Create Record Set.
AWS TXT values must be entered surrounded by quotes as eg “v=DKIM1; k=rsa;”
At first sight, DKIM TXT record fails due to the error “CharacterStringTooLong (Value is too long)” – this failure is actually correct according to DNS standards, the trick is to split the key with ” ” in the middle ie the TXT value will be entered as “v=DKIM1; k=rsa;firstpartofkey” “secondpartofkey”.
The same applies on Google cloud though other interfaces are clearly managing this transparently.
These guys could win prizes for impenetrable user experience but at least when you know how to get around the interface, what you see is what you get, and there’s a pretty neat Powershell interface too.
good articles on tools for investigating delivery issues here:
- Orange https://help.returnpath.com/hc/en-us/articles/115003087148-Orange-troubleshooting-support-information
- Earthlink https://support.earthlink.net/articles/email/email-blocked-by-earthlink.php