DNS Zone templates and cpanel injecting wrong include in SPF Records

[JIKOmetrix]

Hello,

I have a new server setup with root zone templates and reseller zone templates. I have customizes these templates to include an SPF and dmarc in all zone templates. A quick review of the /var/cpanel/zonetemplates folder and the content of the zone templates shows:

%domain%. IN TXT "v=spf1 a mx include:_spf.spf-example-domain.net ~all"
_dmarc IN TXT "v=DMARC1; p=quarantine; sp=none; rf=afrf; pct=100; ri=86400"

Yet, when I create a new with reseller I get :

SPF value of: v=spf1 +a +mx +ip4:51.222.43.204 include:gosecure.net +ip4:144.217.145.128 +include:_spf.spf-example-domain.net ~all
MX value of: Prorioty 10 email-protect.gosecure.net

1) Why is the SPF syntax being changed to prefix all entries with a '+'?

2) Why is it injecting include:gosecure.net into my SPF?

The problem with #2 is that include:gosecure.net is so large is breaks the SPF lookup and nothing after the include:gosecure.net is not used in the SPF.

Any thoughts on how to address 1 & 2?

Thanks,
Mike

 

[JIKOmetrix]

I opened a ticket for this issue. It turns out that cPanel has decided they know better what my SFP should be for any new account created, instead of using my settings in the /var/cpanel/zonetemplates folder set for root or resellers.

They issue this override with a Perl module /usr/local/cpanel/Cpanel/SPF.pm. Not only does it add the '+' to the front of entries in the SPF, it also creates an include for the MX host. I don't mind the '+' syntax as it is implied without it and adding it is explicit. However, Assuming the MX host has an include is going to far. In my case this assumption breaks the users SPF function for receiving servers due to the SPF being too long and we do not want the MX host included only the MX as authorized indicated in the SPF.

I'm waiting on help with an override to stop this action. IT NEVER DID THIS before some version update. It used use my entries in the /var/cpanel/zonetemplates for SPF.

 

[JIKOmetrix]

I wrong about the Perl module /usr/local/cpanel/Cpanel/SPF.pm.

There are multiple Perl modules involved there is no subroutine that for SPF includes however /usr/local/cpanel/Cpanel/SPF/Include.pm is used. When reviewing this module it obtains the include based upon configured smarthosts.

We do user smart hosts so we are getting closer to a fix here.

 

[JIKOmetrix]

I think the mystery is figured out.

Exim config -> Mail -> Autodiscovery SPF include hosts from the smarthost route list

This is on by default. I think turning this off will fix my issue.

 

[JIKOmetrix]

I can firm this corrected my SPF include issue. It was related to the Exim config -> Mail -> Autodiscovery SPF include hosts from the smarthost route list

 

[cPRex]

I was going to say we would need a ticket to see this one in action, so I'm glad you did that. Let us know the final chapter once you have it!

 

[JIKOmetrix]

So two things.

1) Exim config -> Mail -> Autodiscovery SPF include hosts from the smarthost route list - Default is 'On' Turn this off to stop cpanel from added a smarthost include.

2) you can add your own in include as need by enabling 'SPF include hosts for all domains on this system' and putting in your SPF host there. This is used on all zones created.

Done and fix.

Now to fix all of the accounts since this was turned on by default.

 

[cPRex]

I'm glad we were able to help track that down with you!

 

[JIKOmetrix]

Yeah, If the support guy had not mentioned smarthosts, it would have been a lot harder.