Problem with email deliverability on cPanel

Hello community, I’m sorry to bother you. In my cPanel I have my domain hosted - which works correctly - and a subdomain, which in the email deliverability section shows me two errors linked to DKIM and SPF.

The system informs me that it cannot make the necessary changes because they do not control the DNS, but they do show me which records I have to add with their respective names and values. I created those records in the DNS section of Cloudflare, and since then the subdomain has been down, it is as if the DNS were propagating, but it has been 2 days and there is still no news (it never takes so long, normally it takes just a couple of hours, tops).

Any idea what the problem could be? Thank you very much in advance!

Is it like mail.yourdomain.com? :thinking:

Kindly, go to the DNS tab of Cloudflare dashboard.
Make sure to double-check if you do have an A record mail pointed to your cPanel hosting IP address and is set to :grey: (DNS-only).
Furthermore, make sure you have an MX record example.com pointed to the mail.example.com (priority 10, TTL auto).
If not, kindly click the button “Add record”.
Select A for type, enter the name mail, paste the IP address from the cPanel hosting and make sure it’s :grey: (DNS only).
Next, select MX for type, enter example.com (replace with your real domain name), enter the value mail.exmaple.com (replace with real), priority 10 and TTL auto.
Click on Save.

If so, navigate to the “Email Deliverability” at cPanel for your domain.

If you see error like below:

Click on the button “Manage”.

Therefore, you’d get the SPF and DKIM values as an example like below:

slika

slika

You copy the name for each one by one.
Navigate to the DNS tab of Cloudflare dashboard.
Click the button “Add record”.
Select TXT for type, paste the name and paste the value for the DKIM.
Click on Save.
Repeat for the SPF.
Once both in place at Cloudflare, wait for 2-3 minutes.
Go back to the tab where your cPanel and return back to the screen of Email Deliverability.
Wait for a few seconds and in the top right corner if all good, you should receive the green information pop-up box saying Success.

I remember, cPanel sometimes doesn’t activate DKIM at all and it’s not a :white_check_mark: until it scans and figures it out on the “external DNS provider” (Cloudflare) that it’s existing one, until them it’s :warning: displayed :thinking:

If it’s recognized and correct, you’d get a blue notification at the top right corner of the cPanel saying that DKIM is enabled and active, therefore on the domain list under the “Email Deliverability” you’d have :white_check_mark: near your domain name.

Helpful article about managing DNS records at Cloudflare:

Nevertheless, you can also add A type for autoconfig and autodiscover. Good practice is also to add a SRV record, if it does exist.

Sometimes, it’s also possible to export the DNS records from cPanel and import them into the DNS of Cloudflare, which could speed-up things.

After all, if you’re still experiencing issue with email, please write back and write your domain name so we could double-check and provide feedback information and help you solve it :wink:

2 Likes

First of all, thank you very much for all the effort and time you spent responding to me, and for your kindness.

I just checked everything you said step by step and my settings meets all the parameters you recommend. Now, cPanel suggested adding these records:

DKIM
Name: default._domainkey.“subdomain”.“domain”.com.ar. (for privacy, I prefer to omit real names)

Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBC*****;

SPF
Name: “subdomain”.“domain”.com.ar.
Value: v=spf1 +mx +a +ip4:..17.65 ~all

The thing is that, when adding the record, Cloudflare changed the names. In the case of DKIM, it changed to default._domainkey.“subdomain”, and in the case of SPF it changed to “subdomain”, simply.

I don’t know if that’s normal or not, but it’s the only strange thing I found. Since I added those records, the website shows me the error “DNS_PROBE_FINISHED_NXDOMAIN”.

Finally, cPanel doesn’t allow me to save DNS records, the option seems to be disabled, so I will contact the hosting’s tech support to see if they can help me.

Again, thank you so much!

True.
The Cloudflare Team is aware of this and are working on the update to release it soon so we could recognize the DNS records since “the same stripped-out part” we might see for the almost identical records (for example main domain and sub-domain).

If you’ve added it, it’s there, despite we can see only the part of it at first glance.

At the DNS interface, for the DNS record, you would see the stripped-out part, as only subdomain instead of full length subdomain.domain.com.ar, or else default._domainkey without the sub.domain.com.ar part.

If you’ve added in in the meantime, I can double-check using curl and dig or online if the records exist.

Could be temporary due to the domain nameserver change.

Furthermore, could be you’re missing the A domain.com and/or A www DNS records pointed to your cPanel web hosting IP address where the content of your Website is located.

Without knowing the domain name, I cannot help further.

May I ask if you’ve made changes to the cPanel DNS, or rather DNS at Cloudflare dashboard? :thinking: Or there is some other issue as well on the cPanel?

2 Likes

Hello @fritex , how are you? Thank you very much for expanding your response, I will save this topic as a favorite to reread it in the future when needed. I’m the designer of the website, I was asked to update it from scratch. But the owner doesn’t want to expose his domain, that’s why I didn’t add the link here. What I did do is attach an image with the domain and subdomain, you can see it here:

Here you can see my DNS records too (the first one had to be set to DNS only because I couldn’t use my corporate emails through Microsoft Outlook, it showed me a credentials error all the time, and someone in this forum suggested to change that setting, which worked like a charm):

And here you can see on cPanel that both records were validated:

Yesterday I wanted to see what happened if I removed the two records (DKIM and SPF) from Cloudflare, and to my surprise, the website was back online in a second, so I can infer that one or both of the records were interfering. Or maybe, as you say, there is some missing record and adding these two creates a conflict, I don’t know. But it’s strange, everything seems to be correct.
There’s another error related to REVERSE DNS (PTR) on both, domain and subdomain. I tried to add the PTR records shown on cPanel but Cloudflare shows a name error. I asked to my hosting’s tech support and they told me not to pay attention to it.

As for the cPanel itself, I never changed the DNS there, only on Cloudflare. I don’t think there are any bugs.

Just in case, is there a way to make Cloudflare “read” my records again from scratch, just like it did when I first added the site? A few days ago when I noticed this problem, I deleted the site on Cloudflare and added it again, I thought it could help, but Cloudflare showed me the records I already had, with all the small changes I had made.

Thanks again for all your kindness, time and help!

Hi, thanks for feedback.

I’d suggest you to remove the asterix * (wildcard) DNS record.
Might cause some unnecessary issues as unfortunately has happened before to some customers due to the lack of understanding and usage / meaning of it in real-world application.

Add new records as follows:

  1. A mail pointed to the IP address where cPanel/web hosting is and make sure it’s unproxied :grey: (DNS-only).

    • your MX points to that particular mail.domain.com.ar - which from the above screenshot yet doesn’t exist.
    • I can see it as “exists” because of having the asterix * one
  2. A autoconfig pointed to the IP address where cPanel/web hosting is and make sure it’s unproxied :grey: (DNS-only).

  3. A autodiscover (despite the SRV autodiscover) pointed to the IP address where cPanel/web hosting is and make sure it’s unproxied :grey: (DNS-only).

  4. A cpcalendars pointed to the IP address where cPanel/web hosting is and make sure it’s unproxied :grey: (DNS-only).

  5. A cpcontacts pointed to the IP address where cPanel/web hosting is and make sure it’s unproxied :grey: (DNS-only).

  6. A webmail pointed to the IP address where cPanel/web hosting is and make sure it’s unproxied :grey: (DNS-only).

TXT records look good to go, however the TXT records for DKIM, SPF, DMARC and the ones with "path=/" are not good looking.
Should fix and make sure the values (content) is without double-quotes " (at start and at the end), which invalidates it and might be issue if the DKIM is “split” instead of “full” too.
Despite by default while checking with dig command they should return the value inside double-quotes (hopefully not in as duplicated “double-double quotes”).
SRV records are good.

To conclude:

  • TXT capacitacion for SPF - ok
  • TXT caldavs, caldav, carddavs, carddav - remove the double quotes, leave only path=/
  • TXT default._domainkey - remove the double quotes, re-check and copy-paste the “full key” from cPanel
  • TXT default._domainkey.capacitacion - ok
  • TXT domain.com.ar for SPF - remove the double quotes
  • TXT dmarc - remove the double quotes
2 Likes

Hi @fritex , thank you so much again for your message. Four days have passed since I added the site to Cloudflare and the subdomain is still down (DNS_PROBE_FINISHED_NXDOMAIN) so there’s definitely something wrong with my records. I will make all the changes your adviced tonight when I get home.
The wildcard was added automatically when we first added the site on Cloudflare. Later we found out that the client couldn’t login to his corporate accounts through Gmail or Microsoft Outlook, due to a credentials error (users and passwords were correct). So I asked in this forum and they suggested to change the setting from Proxied to DNS Only, and that fixed the problem.

I will let you know the results when I change the settings tonight, thank you very much!!

I don’t see A capacitacion DNS record at the screenshot on the provided Google Drive link :thinking:

Therefrom using dig the A capacitacion doesn’t resolve to any IP.

Kindly, double-check and re-add it on the DNS tab of Cloudflare dashboard pointed to your origin cPanel host/server.

Helpful article:

1 Like

Hello @fritex! First of all thank you very much for your help. I made all the changes you suggested for the DNS records, and both the domain and subdomain seem to work fine. I attached what the records look like now: https://drive.google.com/file/d/1Jg1410nCkyskz4JEX7feI9H2wD9JHGPP/view?usp=sharing

You know, the client told me that outgoing corporate emails ([email protected]) were arriving in the recipients’ spam folder, do you think it is because of the previous configuration? Hopefully that problem is also resolved. Again, I greatly appreciate all the help you have given me!

1 Like

Thank you for feedback information.

True, now it looks good and should be working as expected from now on.

I am happy to assist you :wink: :hugs:

Kindly, since this forums are public, please do consider the following to protect your Website from any possible missuse:

  1. Lock the sharing option for the Google Drive links.
  2. Or delete those shared Cloudflare Dashboard photos from the Google Drive.
  3. Or edit your replies here (click on the :pencil2: Pencil icon) and remove the links.

In the meantime, I’d also suggest you to try and send a test email and see the results over the MailTester service at the link from below:

1 Like

Thank you very much @fritex for your help! I did the test you suggested and it showed me these errors, but it doesn’t seem to be anything serious:

-0.1 | DKIM_INVALID | DKIM or DK signature exists, but is not valid

-0.1 | DKIM_SIGNED | Message has a DKIM or DK signature, not necessarily valid
**Esta regla se aplica automáticamente si tu email contiene una firma DKIM, pero otras reglas positivas también se agregarán si tu firma DKIM es válida. Ver a continuación.

-0.001 | SPF_HELO_NONE | SPF: HELO does not publish an SPF Record

I will block the images, thanks for the warning!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.