cPanel/WHM – Advanced DNS zone template tuning, $ip, MX, and best practices

cPanel/WHM – Advanced DNS zone template tuning, `$ip`, MX, and best practices

During cPanel/WHM fine-tuning, one recurring task is reviewing default DNS zone templates. The goal is to ensure $ip is resolved correctly and remove inconsistencies between MX, A, and CNAME that often break email delivery.

This guide consolidates the most common field errors I see, the corrections I apply, and the baseline I use for professional, resilient DNS operations.

---

1. Where DNS zone templates live in cPanel

As root, templates are stored here:

cd /var/cpanel/zonetemplates/
ls -lah

Main files:

standard: default for most IPv4 zones.
standardipv6: template for IPv6-ready zones.
simple: reduced template used in specific addon scenarios.

Edit the main template with:

nano /var/cpanel/zonetemplates/standard

Senior note: editing templates does not modify existing zones. For current domains, reset zone files from WHM or rebuild DNS configs according to your operational policy (for example, /scripts/rebuilddnsconfig).

---

2. `$ip` variable behavior

In templates, $ip drives automated record generation:

@     14400  IN  A   $ip
www   14400  IN  A   $ip
mail  14400  IN  A   $ip

cPanel replaces $ip using values from WHM → Basic WebHost Manager Setup.

If the account has a dedicated IP, cPanel resolves $ip to that specific IP, which preserves routing and reputation isolation.

---

3. Changing shared IP: what actually happens

Changing main shared IP in WHM is high-impact. Real behavior:

Item	Impact
New accounts	Use new IP immediately
DNS templates	`$ip` points to new address
VirtualHosts	New web configs use updated IP
Existing accounts	Stay on old IP until manual migration

A common mistake is assuming full auto-migration. It does not happen.

For full convergence, schedule a controlled change window:

inventory legacy accounts;
regenerate zones/vhosts as needed;
validate DNS and SMTP end to end.

---

4. The MX/A/CNAME triangle of failure

This is where most N2/N3 incidents start.

❌ Error 1: MX pointing to IP

MX must point to a hostname (FQDN), not an IP.

Wrong:

@ IN MX 10 192.0.2.10

Correct:

@ IN MX 10 mail.domain.tld.

❌ Error 2: MX target is a CNAME

This violates RFC 2181. In real-world delivery, MTAs like Gmail/Outlook may degrade trust or fail delivery attempts.

Operational rule: MX target must resolve directly to A/AAAA.

❌ Error 3: `mail` defined as CNAME

mail IN CNAME domain.tld can look functional, but it is weak design:

introduces extra DNS hop;
increases fragility if apex changes;
complicates troubleshooting during incidents.

---

5. Recommended professional structure

Clean production model:

@      IN  A     192.0.2.10
www    IN  A     192.0.2.10
mail   IN  A     192.0.2.10

@      IN  MX 10 mail.domain.tld.

Key points:

no CNAME for mail service;
direct DNS resolution;
consistent MTA interoperability.

---

6. “Hardened” cPanel template (SOP)

Baseline template for /var/cpanel/zonetemplates/standard:

$TTL 14400
@  86400  IN  SOA  ns1.domain.tld. root.domain.tld. (
        $serial
        3600
        1800
        1209600
        86400 )

@      14400  IN  NS    ns1.domain.tld.
@      14400  IN  NS    ns2.domain.tld.

@      14400  IN  A     $ip
www    14400  IN  A     $ip
mail   14400  IN  A     $ip
ftp    14400  IN  A     $ip

; --- Autodiscover convenience records ---
autoconfig   14400  IN  A     $ip
autodiscover 14400  IN  A     $ip

; --- Mail delivery ---
@      14400  IN  MX 10 mail.domain.tld.

; --- Anti-spoofing baseline ---
@      14400  IN  TXT "v=spf1 a mx ip4:$ip ~all"
_dmarc 14400  IN  TXT "v=DMARC1; p=none; aspf=r;"

Post-change validation:

dig @127.0.0.1 MX domain.tld +short
dig @127.0.0.1 A mail.domain.tld +short
dig @8.8.8.8 MX domain.tld +short
dig @1.1.1.1 MX domain.tld +short

Goal: consistency between local authoritative data and public resolvers.

---

7. Conclusion and golden rule

As sysadmins, our role is to reduce operational noise and prevent unnecessary support escalations.

$ip is dynamic, but mainly for new provisioning.
MX is strict: always point to hostnames with direct A/AAAA.
CNAME is acceptable for web aliases, not for SMTP/IMAP/POP flow.

Golden rule: if a record is part of mail flow, keep it direct (A/AAAA). Using CNAME in mail path is a common source of latency, intermittent failures, and reputation damage.

This post is licensed under CC BY-NC.