• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Plesk server in a cPanel farm

L

Littleboy

New Pleskian
Server operating system version
Debian 10.13
Plesk version and microupdate number
Plesk Obsidian 18.0.61 Update #6
Hi all.
I hope you can help me with this.

I have a cPanel solution farm, with different servers. DNSOnly servers from cPanel, Hosting servers with cPanel, and Plesk servers:

1. DNS Servers where created with nsx.domainname.com (only cPanel)

2. Hosting servers where created with hsx.domainname.com (cPanel and Plesk)



There is a cPanel hosting server with the donaminane.com DNS configured, as it is synchronized with NS1 and NS2 servers (nsx.domainname.com).

That hosting one is called hs1.domainname.com, and DNS are ns1.domainname.com and ns2.domainname.com (for privacy reasons, of course)


My hosting plesk server was created with a hostname hs2.domainname.com and it has only one domain name from a client working alone.
Everything seems to work fine. But, every single email from the server/system (not from the client domain) is marked as a possible spam.
As you can imagine, there is no domainname.com or hs2.domainname.com account created on that server.

Therefore, all the queries to hs3.domainname.com are just solved by DNS servers with an A record. But the server itself has not DNS info, no DKIM, no SPF, nothing. Just the hostname and IP.


I just need to know how should i configure that plesk server to create a DKIM and SPF to send safe and signed emails from the system.
Should i create a domain name called hs2.domainname.com in the Plesk server? What kind of configuration on DNS, because, DNS servers are the cPanel farm, and the domainname.com is hosted in another hosting server.

I assume that if i create that, the access through a browser "hs2.domainname.com:8443" won't work at all, at least, until i solve this redirection.
Please, note that the templates on the plesk server, or DNS zones are clean, no information is declared.



I would really appreciate someone to help me.
 
Hi there,

Littleboy said:
Everything seems to work fine. But, every single email from the server/system (not from the client domain) is marked as a possible spam.
As you can imagine, there is no domainname.com or hs2.domainname.com account created on that server.
Click to expand...
That fine, it's not necessary to have the host as domain in Plesk.

Littleboy said:
Therefore, all the queries to hs3.domainname.com are just solved by DNS servers with an A record. But the server itself has not DNS info, no DKIM, no SPF, nothing. Just the hostname and IP.
Click to expand...
Generally DKIM is not required. But having a SPF and DMARC record are recommended (and required by some providers). So make sure those records exists for hs3.domainname.com. Also make sure that you have rDNS setup correctly and pointing to hs3.domainname.com.
 
Hello,
First of all, thank you Kaspar.

I do not understand how can i configure the server to send system mails with DKIM, DMARC and SPF, because there is no place to do it.
I am not sure if you are suggesting to create DKIM, SPF and DMARC on hs1 (host server 1 who has domainname.com setup with DNS), and copy-paste on plesk afterwards.

Please, can you help me with the steps?
Otherwise, my solution is to deploy my clients on cPanel and close Plesk server.
 
Littleboy said:
I do not understand how can i configure the server to send system mails with DKIM, DMARC and SPF, because there is no place to do it.
Click to expand...
I think I need to emphasize that email messages aren't 'sent' with DMARC or SPF. These are authentication checks done at receiving side. However you do need to configure these for the sending domain. DKIM is done at the sending side. It adds an key to the email which can be validated by the receiving server. I wanted to point that to avoid any confusion. However DKIM isn't relevant in this case as the notification aren't signed with DKIM.

Littleboy said:
I am not sure if you are suggesting to create DKIM, SPF and DMARC on hs1 (host server 1 who has domainname.com setup with DNS), and copy-paste on plesk afterwards.
Click to expand...
On the DNS zone for domainname.com you create a TXT record for the hs3 host for both SPF and DMARC.

For SPF record you can use something like v=spf1 a -all. For the DMARC record you can use something like: v=DMARC1; p=none.

That's all there is to it.
 
Hi Kaspar,
Thank you for your explanations.

So, to be clear. Your suggestion is to:

SERVER HS1
Current SPF:
domainname.com 14400 TXT v=spf1 +mx +a -all (that is default SPF from cPanel domain creation)
Current DMARC:
_dmarc.domainname.com 14400 TXT v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]
Current A:
hs2.domainname.com 14400 A XX.XX.XX.XX


YOUR SUGGESTION: Add TXT on HS1
Custom SPF:
hs2.domainname.com 14400 TXT v=spf1 a -all
Custom DMARC:
_dmarc.hs2.domainname.com 14400 TXT v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]

After that, i was checking through online tools like DMARCIAN or MXTOOLBOX, and all of them agreed with this configuration.

However, i have my reasonable doubts about this, that maybe you can explain to me (for security reasons).
In your suggestion, you are using A label for SPF, but it is true that HS2 is not declared here. I mean, there must be only one server with hs2.domainname.com sending emails labeled or marked "from hs2.domainame.com". We do not want HS1 to mark or label those emails (at least, i do not want it, for identification reasons). That A label or value or modifier, seems to be that local IP can send emails. Maybe I should change this for "a:xx.xx.xx.xx" (where xx is the hs2 IP).
Please note that, there is no CNAME for hs2.domainname.com on HS1.

I don't know if i explained right my doubts.
I know, i should be an expert using SPF and DMARC, but I am not :(

And, the final question: (please, do not hate me)
Should I add something to PLESK server to make system emails properly signed according with this new DNS configuration. How can i check it?
 
Littleboy said:
So, to be clear. Your suggestion is to:

SERVER HS1
Current SPF:
domainname.com 14400 TXT v=spf1 +mx +a -all (that is default SPF from cPanel domain creation)
Current DMARC:
_dmarc.domainname.com 14400 TXT v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]
Current A:
hs2.domainname.com 14400 A XX.XX.XX.XX
Click to expand...
These SPF and DMARC records are for the domainname.com (second level) domain. Which, as far as any mail authentication protocol (like SPF and DMARC) is concerned, are unrelated to hs2.domainname.com subdomain. So they don't have any influence on mail sent from you Plesk server.

Littleboy said:
YOUR SUGGESTION: Add TXT on HS1
Custom SPF:
hs2.domainname.com 14400 TXT v=spf1 a -all
Custom DMARC:
_dmarc.hs2.domainname.com 14400 TXT v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]
Click to expand...
The DMARC policy seems a bit more complicated than it needs to be. But it's alright. To only note I have would be that the aspf=r part defines a relaxed alignment policy for SPF. I'd consider using a strict alignment policy for SPF (aspf=s).

Littleboy said:
However, i have my reasonable doubts about this, that maybe you can explain to me (for security reasons).
In your suggestion, you are using A label for SPF, but it is true that HS2 is not declared here. I mean, there must be only one server with hs2.domainname.com sending emails labeled or marked "from hs2.domainame.com". We do not want HS1 to mark or label those emails (at least, i do not want it, for identification reasons). That A label or value or modifier, seems to be that local IP can send emails. Maybe I should change this for "a:xx.xx.xx.xx" (where xx is the hs2 IP).
Please note that, there is no CNAME for hs2.domainname.com on HS1.
Click to expand...
The a qualifier in the SPF record would only allow mail from the IP address used for hs2.domainname.com (based on the DNS A type record for hs2.domainname.com). But you can used the ip4 qualifier instead if you like (ip4:123.123.123.123)

Littleboy said:
I don't know if i explained right my doubts.
I know, i should be an expert using SPF and DMARC, but I am not :(
Click to expand...
Don't sweat it. This a difficult topic and hard to grasp for most :)
A good resource that explains SPF pretty well (and I still frequently use myself) is: SPF record: Protect your domain reputation and email delivery

Littleboy said:
And, the final question: (please, do not hate me)
Click to expand...
I would never.

Littleboy said:
Should I add something to PLESK server to make system emails properly signed according with this new DNS configuration. How can i check it?
Click to expand...
Nope, nothing else you need to do. (That is, if I have understand your initial issue correctly. Which I hope I do).
 
You must log in or register to reply here.

Similar threads

N
Issue cPanel to Plesk migration problems
Replies
6
Views
855
Kaspar@Plesk
Kaspar@Plesk
G
Issue Help - with 2Servers / DNS
Replies
1
Views
227
scsa20
scsa20
L
Question Which domain mail server should I use ?
Replies
2
Views
305
LaurentR2D2
L
S
Issue Slow client download speeds for large files
Replies
19
Views
2K
NbzSys
N
E
Issue Several understanding errors in my postfix
Replies
4
Views
5K
estanis
E
Back
Top